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HOW SECURE IS VETERANS’ PRIVACY 
INFORMATION? 

Tuesday, June 4, 2013 

U.S. House of Representatives, 

Committee on Veterans’ Affairs, 
Subcommittee on Oversight and Investigations, 

Washington, D.C. 

The Subcommittee met, pursuant to notice, at 2:50 p.m., in Room 
334, Cannon House Office Building, Hon. Mike Coffman [Chairman 
of the Subcommittee] presiding. 

Present: Representatives Coffman, Lamborn, Roe, Huelskamp, 
Walorski, Kirkpatrick, O’Rourke, and Walz. 

OPENING STATEMENT OF CHAIRMAN COFFMAN 

Mr. Coffman. Good afternoon. I would like to welcome everyone 
to today’s hearing titled “How Secure is Veterans’ Private Informa- 
tion?” Reports from VA’s Office of Inspector General, private in- 
spector consultants brought on by VA, and this Subcommittee’s 
own investigation have revealed tremendous problems within VA’s 
Office of Information and Technology. Some of these issues have 
been made public in the Inspector General reports which outline 
mismanagement of human measures and the lack of much-needed 
technical expertise. 

Other issues have been less publicized, such as those captured in 
the Deloitte, quote/unquote, “DeepDive” that identified gaps in 
OI&T’s organizational structure and a poorly executed business 
model. The latter report recognized the growth of VA by 33 percent 
since 2006, growth that is mirrored by the expansion of VA’s com- 
puter network. Unfortunately, there has not been a comparable 
growth in the technical personnel needed to manage security of 
VA’s sprawling network. 

These failures have created problems for both the Department 
and for veterans. The Inspector General substantiated that VA was 
transmitting sensitive data, including personally identifiable infor- 
mation and internal network routing information, over an 
unencrypted telecommunications carrier network, both violations of 
Federal regulation and basic IT security. The IG also noted that 
VA has not implemented technical configuration controls to ensure 
encryption of sensitive data, despite VA and Federal information 
security requirements. 

Similarly, it is evident that software patches are not up-to-date 
across the network, too many users have administrative access, se- 
curity software is not up-to-date on older computers, and computer 
ports are not properly secured. There is little to no security of file 
transfer protocol and Web pages are vulnerable, allowing unauthor- 

( 1 ) 
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ized access to veterans’ unprotected personal information within 
the system. 

While these issues alone give cause for grave concern, this Sub- 
committee’s investigation has identified even greater problems. The 
entire veteran database in VA, containing personally identifiable 
information on roughly 20 million veterans, is not encrypted, and 
evidence suggests that it has repeatedly been compromised since 
2010 by foreign actors, including China and possibly by Russia. 

Recently, the Subcommittee discussed VA’s authorization to oper- 
ate, a formal declaration that authorizes operation of a product on 
VA’s network which explicitly accepts the risk to agency operators 
and was told that, quote, “VA’s secrecy posture was never at risk,” 
unquote. In fact, VA’s security posture has been an unacceptable 
risk for at least 3 years as sophisticated actors use weaknesses in 
VA’s security posture to exploit the system and remove veterans’ 
information and system passwords. While VA knew foreign intrud- 
ers had been in the network, the Department was never sure what 
exactly these foreign actors took because the outgoing data was 
encrypted by the trespassers. 

These actors have had constant access to VA systems and data, 
information which included unencrypted databases containing hun- 
dreds of thousands to millions of instances of veterans’ information, 
such as veterans’ and dependents’ names. Social Security numbers, 
dates of birth, and protected health information. Notwithstanding 
these problems, VA has waived or arbitrarily extended accredita- 
tion of its security system on its network. It is evident that VA’s 
waivers or extensions of accreditation only appear to resolve mate- 
rial weaknesses without actually resolving those weaknesses. 

VA’s IT management knowingly accepted the security risk by 
waiving the security requirements even though such waivers are 
not appropriate. This lapse in computer security and the subse- 
quent attempts by VA officials to conceal this problem are intoler- 
able, and I look forward to a candid discussion about these issues. 

I now yield to Ranking Member Kirkpatrick for her opening 
statement. 

[The prepared statement of Chairman Coffman appears in 
THE Appendix] 

OPENING STATEMENT OF HON. ANN KI RKPATRICK 

Mrs. Kirkpatrick. Thank you, Mr. Chairman. 

As the Department of Veterans Affairs works hard to serve the 
needs of today’s veterans, they must work equally hard to protect 
their personal information. Today’s hearing is an attempt to deter- 
mine whether a veteran’s private information is secure. 

Mr. Chairman, veterans need to know that when they ask the 
VA for services and benefits that they have earned, the information 
they submit in order to get those benefits will not be compromised 
under any circumstances. I hope that the VA came prepared today 
to provide assurances to Congress and veterans that their informa- 
tion technology systems are secure. We expect VA to also answer 
our questions directly and honestly. As we get questions from vet- 
erans in our district, we want to provide complete and honest an- 
swers to them. 
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Congress received a letter from Mr. Jerry L. Davis, now a former 
employee at the VA, who states that, quote, “There is a clear and 
present danger and risk of exposure and compromise of sensitive 
data,” end quote. 

Mrs. Kirkpatrick. I share the Chairman’s concern on whether 
VA is following the required government practices and policies re- 
garding the monitoring and remediation of system risk. 

Two OIG reports, from 2012 and 2013, raised additional con- 
cerns. The 2012 report questions whether the agency has the prop- 
er strategic human capital management program to meet mission- 
critical system capabilities as the VA moves into the 21st century. 
The second, 2013, OIG report faults VA for failing to secure private 
information by not encrypting health data transmitted to out- 
patient clinics and external business partners. The VA must ad- 
dress the concerns raised and assure veterans who come to the VA 
for assistance that their personal information is secure. 

I want to thank everyone for being here today. I would also like 
to thank the witnesses for their testimony and for answering ques- 
tions about the security of veterans’ private information at the De- 
partment of Veterans Affairs. 

Thank you, Mr. Chairman. I yield back. 

[The prepared statement of Hon. Kirkpatrick appears in 
THE Appendix] 

Mr. Coffman. Thank you. Ranking Member Kirkpatrick. 

I would now like to welcome our first panel to the witness table. 
On this panel we will hear from Ms. Linda Halliday, Assistant In- 
spector General for Audits and Evaluations from the VA’s Office of 
Inspector General. Accompanying Ms. Halliday is Ms. Sondra 
McCauley, Deputy Assistant Inspector General for Audits and 
Evaluations, and Mr. Michael Bowman, Director of the Information 
Technology and Security Audits Division. 

Before I recognize the panel, I ask that you please rise and raise 
your right hand. 

[Witnesses sworn.] 

Mr. Coffman. Ms. Halliday, you are now recognized for 5 min- 
utes. 

TESTIMONY OF LINDA A. HALLIDAY, ASSISTANT INSPECTOR 
GENERAL FOR AUDITS AND EVALUATIONS, OFFICE OF IN- 
SPECTOR GENERAL, U.S. DEPARTMENT OF VETERANS AF- 
FAIRS, ACCOMPANIED BY SONDRA MCCAULEY, DEPUTY AS- 
SISTANT INSPECTOR GENERAL FOR AUDITS AND EVALUA- 
TIONS, OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT 
OF VETERANS AFFAIRS, AND MICHAEL BOWMAN, DIRECTOR, 
INFORMATION TECHNOLOGY AND SECURITY AUDITS DIVI- 
SION, OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT 
OF VETERANS AFFAIRS 

Ms. Halliday. Mr. Chairman and Members of the Subcommittee, 
thank you for the opportunity to testify on VA’s security of vet- 
erans private information. With me today are Ms. Sondra 
McCauley, my deputy, and Mr. Michael Bowman, the Director of 
the OIG’s Information Technology Security Division. 
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Secure systems and networks are essential to VA’s programs and 
operations for delivering benefits and services to our Nation’s vet- 
erans, yet OIG reports continue to disclose a pattern of ineffective 
information security which places VA at unnecessary risk. For 
more than 10 consecutive years, our consolidated financial state- 
ment audit reports have identified IT security as a material weak- 
ness. 

We also perform annual reviews of VA’s compliance with the re- 
quirements of the Federal Information Security Management Act, 
known as FISMA. This act serves as a catalyst for developing the 
framework to protect agency IT systems and sensitive information. 

As last year’s FISMA audit progressed, we did note VA focused 
more efforts to standardize information security controls. Mid-year 
in 2012, VA initiated CRISP, the Continuous Readiness and Infor- 
mation Security Program, to ensure year-round monitoring and to 
establish a team responsible for resolving the IT material weak- 
ness. However, CRISP was not in place long enough to adequately 
improve the material weakness for last year’s FISMA report. The 
report will be issued this month and will include 32 recommenda- 
tions for improving VA’s information security program. 

We found repeat weaknesses and vulnerabilities in four key 
areas. In the area of system access, we found password standards 
that were not consistently implemented and user accounts that 
were not enforcing minimal access privileges. 

In the area of configuration management, we found critical sys- 
tems lacked appropriate baseline controls and up-to-date vulner- 
ability patches. Also, the policies and procedures for authorizing, 
testing, and approval of system changes were not consistently im- 
plemented. 

In the area of security management, VA still had to address 
about 4,000 outstanding security vulnerabilities. We found its risk 
assessments and security plans were outdated and in some in- 
stances were not consistently put in place to reflect VA’s current 
IT environment or Federal standards. 

In the fourth area, contingency planning, we found some plans 
were not fully tested or updated, and in addition, backup tapes 
were not always encrypted prior to being sent to offsite storage. 
More importantly, we continue to identify significant technical 
weaknesses in databases, servers, network devices supporting sen- 
sitive data exchanges among VA facilities. Many of these weak- 
nesses are due to inconsistent program enforcement and ineffective 
communication between VA management and field offices. 

In addition to FISMA, OIG projects over the past 2 years have 
identified information security deficiencies, placing sensitive vet- 
erans data at risk of unauthorized access, loss, or disclosure. Spe- 
cifically, we reported on a broad range of security concerns, includ- 
ing VA’s transmission of sensitive data and internal network rout- 
ing information over an unencrypted carrier network, and VA’s ex- 
ternal data-sharing agreements and system interconnections which 
resulted in unsecured electronic and hard copy data at VA medical 
centers and co-located research facilities. We reported that 48 per- 
cent of VA’s 400,000 encryption software licenses, valued at about 
$5.1 million, remained unused, leaving VA computers vulnerable. 
And we reported on a backlog of personnel background checks 
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which were inappropriately prohibiting some 3,000 contractors 
from working on awarded contracts. 

In summary, our audit reports and findings and recommenda- 
tions provide a roadmap for VA to improve its information security 
program, and VA needs to focus on addressing previously reported 
security issues related to the IT material weakness, they need to 
remediate high-risk system issues in their Plans of Actions and 
Milestones, and they need to establish effective processes for con- 
tinuous monitoring and to perform vulnerability assessments. 

Mr. Chairman, this concludes my statement, and we would be 
happy to answer any questions you or the Subcommittee may have. 

[The prepared statement of Linda A. Halliday appears in 
THE Appendix] 

Mr. Coffman. Thank, Ms. Halliday. 

How effective are VA facilities with protecting sensitive veteran 
data? 

Ms. Halliday. Well, based on our oversight, we’re continuing to 
find information security vulnerabilities at almost every VA med- 
ical center we visit. We visit 20 to 30 VAMCs a year as part of our 
FISMA work and we consistently find problems. The types of 
vulnerabilities include weak passwords, missing software patches, 
lack of software updates, excessive permissions, and unnecessary 
user accounts left on the system. 

Mr. Coffman. What are the foremost reasons why, after all this 
time, information security is still a major concern at the VA? 

Ms. Halliday. I would say that ineffective access controls, inef- 
fective configuration management controls, I think ineffective man- 
agement of systems interconnection and inadequate contractor 
oversight would be a fourth major reason. 

Mr. Coffman. Ms. Halliday, based on your ongoing oversight 
work, is VA likely to get rid of its IT security material weaknesses 
this year? 

Ms. Halliday. At this point it is too early to conclude. We do ex- 
pect that the CRISP initiative, which is starting to provide contin- 
uous monitoring, will be in place for the entire 12 months of this 
fiscal year 2013 FISMA review. Our concern, while we’re seeing 
weaknesses occur with less frequency, they are still occurring and 
they are repeat occurrences and vulnerabilities that we have re- 
ported on in fiscal year 2012 and earlier years. 

Mr. Coffman. What are VA’s most significant risks related to 
adequately protecting its systems and sensitive data? 

Ms. Halliday. The first would probably be ineffective access con- 
trols. That’s where critical systems had accounts with default pass- 
words that were considered weak passwords, i.e. easy to guess. 
User accounts with access rights that were not appropriate. In 
other words, you want to make sure that all users have a need for 
that information and that they have a security level appropriate to 
that need. We also identify unsecured electronic and hard copy re- 
search data at VA medical centers and co-located research facili- 
ties. 

So that covers access controls. Then we have inconsistent con- 
figuration management controls. Systems include key databases 
supporting critical applications, but they are not patched timely or 
secured and configured to mitigate previously known information 
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vulnerabilities. We have ineffective management of system inter- 
connections. That’s VA sensitive data such as health records and 
internal Internet protocol, addresses. They are transmitted be- 
tween VA medical centers and the community-based outpatient 
clinics using unencrypted protocols. And then access control and 
configuration management. These are all very significant risks that 
VA faces. 

As far as inadequate contractor oversight, contractors without 
the appropriate security clearances are gaining access to some VA 
mission critical systems, and we did a report on not having security 
clearances in place before gaining access to the systems with con- 
tractors. 

Mr. Coffman. Moving forward, what steps can VA take to pre- 
vent the loss of sensitive data? 

Ms. Halliday. I think VA really needs to improve its continuous 
monitoring process to ensure all the controls are operating as in- 
tended, and it needs to address the external organizations that it 
works with to make sure that they are adequately protecting sen- 
sitive veteran data in accordance with the VA policy and FISMA 
requirements. VA needs to ensure all service provider contracts in- 
clude provisions to implement information security protections in 
accordance with their policies and procedures. 

Mr. Coffman. Thank you. 

Ranking Member Kirkpatrick. 

Mrs. Kirkpatrick. You testified that there’s a 10-year period of 
weakness and vulnerability. So there was a report given to the VA 
year after year after year. In that 10-year span, did you see an in- 
crease in vulnerability and weakness? A decrease? Can you quan- 
tify that for me over that 10-year period? 

Ms. Halliday. We do an audit of VA’s consolidated financial 
statements annually and our contractors look at all of the controls 
associated with information security. They have felt that it has 
been a material weakness in VA for 10 full years. 

Mrs. Kirkpatrick. Has it been the same level of weakness and 
vulnerability? What I mean is, has it been getting worse for a while 
or has it gotten better? 

Ms. Halliday. I don’t think you ever get the exact same level of 
vulnerability. I think our concern, we report out on these various 
problems based on the testing. A couple years ago, VA’s Plan of Ac- 
tions and Milestones addressing security vulnerabilities was almost 
at 15,000 items that were outstanding and unaddressed. This past 
year VA has gotten it down to about 4,000, but that’s still 4,000 
security weaknesses and vulnerabilities that haven’t been ad- 
dressed. It is too many. 

Mrs. Kirkpatrick. Do you think that the CRISP program is 
helping them address those vulnerabilities more quickly? 

Ms. Halliday. Based on the preliminary and early testing, yes. 
We are still seeing and identifying security weaknesses and 
vulnerabilities, but to a lesser extent that we’ve seen that in the 
past. I would also have to say that VA is actively working with us 
to try and make sure that they understand what we are finding as 
part of our FISMA testing, understand the full scope so that they 
can put the right fixes in place. 
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Mrs. Kirkpatrick. That was going to be one of my questions. 
When you issue a report, do you actually have a conversation with 
leadership at the VA about what needs to be implemented? 

Ms. Halliday. Absolutely. 

Mrs. Kirkpatrick. And is that on an ongoing basis? 

Ms. Halliday. Yes, it is. With this information security material 
weakness rising to the last material weakness in the Department’s 
financial statements, the Secretary on down through his chain of 
command has had it on their radar. They are working very hard. 
And we have made sure that we have been communicating with 
the Department. For example, that if we employ certain tools in 
our oversight to scan their systems, they are also acquiring those 
same state-of-the-art tools. So I think that there is an effort there, 
and at least this year and part of last year the communications 
have been better between what OIG is doing in the field, finding, 
and getting it remediated. 

Mrs. Kirkpatrick. I have one last question. I have a concern in 
your audit report. You say that you are concerned with a lack of 
human resources, and your statement says OIT experienced vacan- 
cies and excessive turnover in key leadership positions responsible 
for OIT’s strategic human capital management program. Could you 
tell the Committee a little bit more about that? What do you mean 
by excessive turnover? 

Ms. Halliday. I’m going to ask Sondra McCauley to take that. 

Mrs. Kirkpatrick. If you could just quantify that and give some 
reasons why you think that’s happening. 

Ms. McCauley. Excessive turnover in terms of the leadership 
within OIT in terms of managing the program. Turnover in terms 
of the program managers and project managers needed to manage 
each specific project, if you will, as well as a reliance on contractors 
to do a lot of the jobs that we really need government personnel 
to do. 

Mrs. Kirkpatrick. And why do you think that there is that ex- 
cessive turnover? 

Ms. McCauley. Some of it was attributed to a lack of planning, 
that is the need for a human capital plan to really focus in on the 
succession planning at the leadership level. But also to better iden- 
tify the skills that were needed to help manage these IT programs, 
and what would be a better contractor-to-FTE ratio to manage the 
programs. 

Mrs. Kirkpatrick. Okay. Thank you. I yield back, Mr. Chair- 
man. 

Mr. Coffman. Thank you. Ranking Member Kirkpatrick. 

Mr. Lamborn, you are recognized for 5 minutes. 

Mr. Lamborn. Thank you, Mr. Chairman. And before I ask my 
questions, I want to thank you, Mr. Chairman, for having this 
hearing. This is such an important topic. And there is so much 
going on here that I was frankly not really aware of and should 
have been, and we need to be aware what’s going on. So thank you 
for your leadership. This is so critical. 

Ms. Halliday, I am stunned about what’s going on here. And you 
said in your written testimony, “Lacking proper safeguards, IT sys- 
tems are vulnerable to intrusions by groups seeking to obtain sen- 
sitive information, commit fraud, disrupt operations, or launch at- 
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tacks against other systems. VA has at times been the victim of 
such malicious intent.” 

Can you tell us what you know about these malicious attacks on 
the VA’s sensitive information? Who committed these? 

Ms. Halliday. I will let Mr. Bowman speak to this one. It is in 
his area. 

Mr. Bowman. Thank you. 

We were informed of an intrusion by foreign countries through 
the Network Security Operations Center. The specifics of that, the 
foreign countries have actually compromised the domain controller 
and gained access to email accounts and were taking email infor- 
mation of the senior leadership at VA. The difficult part was, is VA 
was unsure how the foreign countries gained access to the net- 
works and what was actually being transmitted out of the VA net- 
works back to the original source. That’s the one that’s most cur- 
rent that I’m aware of. We also reference 2006 with the stolen 
laptop and the loss of the 26 million records. But those are the two 
main things that come to mind. 

As far as our ongoing FISMA work, we do continue to identify 
weaknesses with the critical databases that does host sensitive 
data, and the Web applications that are facing the Internet do have 
well-known vulnerabilities that could be exploited from the Inter- 
net. And these are ongoing from year-to-year. So there are signifi- 
cant risks out there that are related to this. 

Mr. Lamborn. And why don’t we know how much was taken? 

Mr. Bowman. A lot of it is having the right tools in place, such 
as intrusion-detection systems, and audit logs turned on. In some 
cases, VA doesn’t have audit logs enabled, so it is unaware of how 
these systems have been infiltrated and what data has been cap- 
tured and what has been transmitted. Good Intrusion Detection 
Systems on all the network segments are important to identify the 
attack signatures. 

Mr. Lamborn. Okay. What is the kind of sensitive information 
concerning a veteran like in my district back in Colorado Springs 
that could have been compromised? 

Mr. Bowman. It is more personal identifiable information that 
could be used to commit fraud. Let’s say a malicious intruder gains 
access to a database and has the Social Security number, name, 
and the date of birth, they could use that to commit credit card 
fraud. And that’s the main risk to veterans. 

Mr. Lamborn. And with the 20 or so million veterans who are 
on the system, the VA doesn’t know how few or how many of their 
sensitive information like Social Security numbers have been com- 
promised? 

Mr. Bowman. That’s a potential risk. 

Mr. Lamborn. It could be all of them? 

Mr. Bowman. Yes, without having audit logging enabled, you 
don’t know what has been compromised or how often those systems 
have been accessed in an unauthorized manner. 

Mr. Lamborn. Would either of you ladies like to add to what I’ve 
been asking? 

Ms. Halliday. No, I think Mike answered it perfectly. 

Mr. Lamborn. I’m just amazed at this. I mean, this is serious. 
And the VA has known about this for up to 10 years now? 
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Mr. Bowman. We’ve reported significant vulnerabilities for well 
over 10 years, as indicated by the IT material weakness. In the last 
5 years, we have increased our assessment of the security controls 
through our user vulnerability assessment tools, database tools, 
Web app tools, so we think our evaluation is more comprehensive. 
In the last 5 years, we’ve shown consistent vulnerabilities from 
year to year that put the VA systems at risk. 

Mr. Lamborn. And you mentioned potential state actors with 
malicious intent. Was that fairly recent that those attempts or 
those actions were detected? 

Mr. Bowman. I heard about that within the last year and a half. 

Mr. Lamborn. So there’s a pattern of knowing about this for 10 
years leading up to a malicious capture of who knows how many 
Social Security numbers or other sensitive pieces of information of 
up to 20 million veterans within the last year and a half. Is that 
a proper understanding? 

Mr. Bowman. It is possible. We don’t know. 

Mr. Lamborn. Thank you, Mr. Chairman. I yield back. 

Mr. Coffman. Thank you, Mr. Lamborn. 

Mr. O’Rourke for 5 minutes. 

Mr. O’Rourke. Thank you, Mr. Chair. 

For Ms. Halliday, I actually wanted to follow up on some ques- 
tions Mr. Lamborn was asking. For a veteran back home in the dis- 
tricts we represent, specifically, have we seen any consequences 
that we’ve been able to document in terms of their information 
being stolen and used by someone who has broken into this sys- 
tem? And not necessarily in my district, but can you point to some 
examples of how this has affected people that we represent? 

Ms. Halliday. VA has an NSOC program where you report secu- 
rity incidents to them. They will prioritize it and start to work on 
the severity of those incidents. There is normally a good record 
then given of the facts of what happened and they will look at the 
controls and try to put the remediation in place. There are hun- 
dreds of incidents reported on an annual basis. 

Mr. O’Rourke. And can you take us through one to illustrate the 
consequences? For example. Social Security information was taken. 
They used that to impersonate that veteran to try to take benefits 
or to obtain credit cards or — 

Ms. Halliday. I do not have an example. 

Mr. O’Rourke. Okay. Let me just ask you or Mr. Bowman, do 
you know of examples that have been documented, specific con- 
sequences? I mean, I agree with what everyone has said so far, the 
overall problem and the threat represented by these security 
vulnerabilities is unacceptable and needs to be addressed and 
needs to be fixed, but I also want to understand the human dimen- 
sion of this, what problems it has already caused for veterans, if 
any, if you’ve been able to document them. I am assuming there 
have been. So anyhow, that’s something we would like to follow up 
on. 

Then I guess for Mr. Bowman, what’s the expectation in terms 
of being able to address these? When should this Committee expect 
to hear back from Ms. Halliday at a future hearing that these find- 
ings and problems that have been uncovered have been addressed 
to our satisfaction and that we feel that we have a reasonable level 
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of security, these threats have been closed, and we are now happy 
with that system? What’s a date that you could point us towards? 

Mr. Bowman. VA plans to implement a fully developed contin- 
uous monitoring program within the next 6 to 8 months. Using 
that, they should have a better visibility of the security posture of 
their IT systems. We have 32 outstanding recommendations from 
our FISMA work that need to be addressed to improve the security 
posture. It will probably take VA well over a year, year and a half 
to get a good handle on that and address those issues. 

So if we could possibly convene maybe a year from now, VA may 
be able to communicate some significant progress in their IT secu- 
rity program; we will be able to communicate that as well. 

Mr. O’Rourke. And just to make sure that I understand what 
you just said, within 12 to 18 months those 32 recommendations 
would be implemented? 

Mr. Bowman. I don’t know for sure, but I think that’s a reason- 
able timeline if VA takes an aggressive approach for improving its 
security program. 

Mr. O’Rourke. Okay. 

Ms. Halliday. Sir, we just received the official comments from 
Mr. Warren on the 32 recommendations and the implementation 
plans that they will deploy regarding those 32 recommendations. 
There are various timeframes associated with that. But our first 
conclusion will come at the end of this year’s audit of the consoli- 
dated financial statements as to whether they would drop that ma- 
terial weakness or not, and all of the testing will be happening over 
the summer. So that report is issued on November 15th, and it will 
assess whether the material weakness remains or it drops to a sig- 
nificant deficiency. At this point, since VA has not fully imple- 
mented its continuous monitoring, Mike is exactly correct that it is 
probably going to take longer than a few months to take care of 
this. 

Mr. O’Rourke. Okay. Thank you. 

Mr. Chairman, I yield back. 

Mr. CoFEMAN. Thank you, Mr. O’Rourke. 

Dr. Roe for 5 minutes. 

Mr. Roe. I thank the Chairman. 

Ms. Halliday, thank you and your team for the excellent work 
you’ve done and certainly informing our Committee of the prob- 
lems. I guess my concern is, is that this mirrors and patterns many 
of the other hearings I’ve been to where we can’t seem to get the 
electronic health record fixed year after year, and it looks like that 
security is a problem year after year. We just passed a bill in the 
House, CISPA. 

Most of us in this room have been to classified briefings on the 
security risks that this country has from outside bad actors. And 
I’ve got to go home this weekend, as every member up here does, 
and when this information gets out, veterans are going to come to 
me, there are many veterans sitting right up here at this dais, and 
they are going to say, are my records secure? And I’m going to have 
to look them in the eye and say, no, they are not, from what I’ve 
heard. And that’s not a very acceptable answer, especially after 10 
years, and especially after we know the risks in the government. 
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You haven’t looked at every other phase, hut do other depart- 
ments in the U.S. Government share these same problems? In 
other words, is this a systemic-wide problem across government or 
is this just VA specific? And you may not be able to answer that 
question. 

Ms. Halliday. I can’t give you a definitive answer, but it is a 
problem for those agencies that are dealing with privacy-type infor- 
mation. 

Mr. Roe. You know, we’ve been asked as a Congress, we’ve been 
instructed in private that it is a severe problem for business. We’ve 
been asked to look at some privacy issues about how you — and we 
have a department of government that’s not even doing what we’re 
asking business to do right now. 

I think there are a couple of things that I would like to ask just 
briefly, and government-wide we don’t know. How will we know 
that when we do go home, when can we say that this information 
will be secure? And we certainly know how when you steal private 
information, whether it is through somebody getting your debit 
card number or whatever, what it is used for, it is b^asically just 
to steal from you. So is that it, just mainly you think, or is it access 
to other government agencies through the VA? Is this the back 
door to some other agencies? 

Ms. Halliday. When we can say that the security of veterans in- 
formation has been taken care of, I think will be at the point when 
VA addresses all the recommendations in the reports that we have 
made with regards to FISMA. We’ve given them a roadmap to fix 
things. It is such a decentralized organization that they have to 
bring a culture of accountability, personal accountability for every 
action, and they need to make sure they have a consistent imple- 
mentation of the policies and procedures. We don’t quite see that 
yet with the FISMA testing or the testing done as part of the con- 
solidated financial statements. 

Mr. Roe. Let’s say you go to a VA medical center somewhere, 
and you mentioned that some of the software wasn’t up to date, 
passwords, you can figure it out. 111, whatever, four Is in a row, 
whatever. Who is responsible for that and what penalty is it if you 
don’t do anything? 

Ms. Halliday. The responsibility lies with the CIO in the De- 
partment of Veterans Affairs and it tiers down through that organi- 
zation. 

Mr. Roe. Okay. When a breach occurs, what does VA do then? 
When you know you’ve been hacked or there is an attempt. Let’s 
see you haven’t been breached, but you know that your firewall has 
been pinged, what do you do? 

Ms. Halliday. You assess the severity of it based on the facts 
you can determine. You get a team together to look at how to fix 
whatever controls are needed to be fixed related to what happened. 
And VA has been trying to do that, but they have a significant 
number of security incidents. 

Mr. Roe. And I’m thinking, I am a veteran. I’m sitting here 
thinking okay, we’ve lost a laptop computer with 20 million bits of 
information on it and the system is not secure now. That doesn’t 
give me a lot of confidence if I go to the VA to hand over my Social 
Security number and all that. 
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Ms. Halliday. Right. VA did mandate cybersecurity and privacy 
awareness training nationwide to bring down a level of personal ac- 
countability to every individual that’s doing work and touching vet- 
eran-sensitive information to make sure it brought accountability 
to this process and requires individuals to sign a statement that 
they will protect the veteran’s information. So that is a step in the 
right direction. 

Mr. Roe. Ms. Halliday, thank you. And I think we have our 
marching orders, and we will hear from the other two panels. But 
I think in 12 months we should be able to sit here, or less, and be 
able to look our veterans in the eye and say to them that your in- 
formation is as secure as we can do it. I understand there is noth- 
ing that’s 100 percent, I got that. But it is relatively secure. Am 
I correct in that? 

Ms. Halliday. Absolutely. Both the prior VA Secretary and the 
current have asked for the gold standard in protecting VA’s vet- 
erans information, and I think the expectation should be nothing 
less. 

Mr. Roe. Thank you, Mr. Chairman. I yield back. 

Mr. Coffman. Mr. Walz for 5 minutes. 

Mr. Walz. Thank you, Mr. Chairman. 

Ms. Halliday and your team, thank you once again for coming. 

Again, we have been through these hearings and we listen to 
them. I guess the part I’m getting at is, and many of us, myself 
included. I’ve been advocating for more sharing of data, especially 
between DoD and VA, been advocating for being able to get some 
of that information to some of our partners, like the county veteran 
service officers, to help with claim processing, been advocating for 
bringing private medical data into the system to help speed the 
claims process. 

With that being said, with the VA and its research partners, how 
do they do the formal agreements between them? And I guess the 
point I’m getting at here is, is this issue we’re addressing — and I 
would assume you have lots of contact with your private sector 
counterparts and best practices — this very same thing happens in 
the private sector, correct, but there’s no requirement for them to 
report when there is a breach. Is that correct? 

Ms. Halliday. Pretty much, yes. 

Mr. Walz. How are these agreements done and if there’s a 
breach at a research institution on the private sector side, how do 
we know they are reporting that breach back and who is ultimately 
responsible in those agreements? 

Ms. Halliday. Basically, you need a formal agreement that out- 
lines the roles and responsibilities of both the external partner and 
VA. In that particular instance, we see some real inconsistencies 
and some of these agreements are not being put in place. 

The second you would like to do is make sure that, whatever ar- 
rangement VA is entering into, that organization has commensu- 
rate controls with VA so that they can adhere to VA’s policies and 
procedures. 

Mr. Walz. But they are not required to adhere to FISMA, is that 
correct, private entity? 

Ms. Halliday. Right. But you can establish those terms in these 
agreements. 
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Mr. Walz. Okay. 

Ms. Halliday. And that’s where you should do that. Because if 
you have one side, securing veterans’ information very tightly and 
another handling it very loosely, you have a problem. 

Mr. Walz. Is it safe to say we then do not know the scope of the 
problem yet if those are lacking, because there are many, many of 
these agreements. 

Ms. Halliday. Absolutely. 

Mr. Walz. Okay. So we have no idea on the scope of that. 

Ms. Halliday. Right. 

Mr. Walz. When you look at this, where is the model? Is there 
an entity, an institution that’s out there that is the gold standard 
of best practices, how should this be done? I mean, there are stand- 
ards and protocols that should be implemented. Who is doing it on 
the scale of VA? Is Citibank doing it? Is Credit Suisse doing it? 
Who is doing it that it looks correct? Because the targets here 
aren’t necessarily targets because they are veterans. They are tar- 
gets because they are easy, is that correct, or they are trying to 
make it easy in many cases. Can you give me an example of who 
is the gold standard? 

Ms. Halliday. We can’t give you an example. 

Mr. Walz. Is that for lack of your knowledge on what others are 
doing or is that because there might not be one? 

Ms. Halliday. I would say more lack of our having direct knowl- 
edge of who is actually performing specific practices. Some people 
might attest that they do have a gold standard, but when you look 
behind it and you see breaches and problems with that. We haven’t 
looked at that so I can’t really answer. 

Mr. Walz. If we had some of them here to talk to us about the 
problems they are having, that might help us get an understanding 
of this and let the VA bring some of those things in. 

Ms. Halliday. I think there’s always an opportunity to bring in 
best practices from the outside and from other Federal agencies. 

Mr. Walz. Okay. So if we implement all the protocols that you’ve 
put out there, and I think you gave me the number of 4,000 poten- 
tial weaknesses or vulnerabilities, if we implemented all of those 
and were able to do it, what’s the cost associated with that? I un- 
derstand what the cost of not doing it is great. It is a breach of 
trust and security of our veterans. What’s the implication? Is that 
not something you factor in when you do your assessment? 

Ms. Halliday. Sir, I would not have that answer, but you should 
ask VA. 

Mr. Walz. Okay. Very good. 

All right. Well, again, I thank you for your service. It is invalu- 
able. As I always say, the more that we can do to support the IG, 
the better government we get out of it. So thank you. 

Ms. Halliday. Thank you. 

Mr. Coffman. Mr. Huelskamp for 5 minutes. 

Mr. Huelskamp. Thank you, Mr. Chairman. I appreciate you 
providing the opportunity for this hearing. And I must say I have 
a lot of words to describe my feelings, and embarrassed by the ac- 
tions or lack thereof by the VA might be one of those. Shocked. 
Surprised. I guess I will probably be even more surprised by later 
testimony. 
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But if I understand correctly, one of the things that you did men- 
tion, that there was a violation or personal emails of the Secretary 
and high-level staff were compromised. And can you describe that 
a little bit further? 

Mr. Bowman. My understanding is that when the domain con- 
trollers got compromised, they got access to the senior leadership 
email accounts, and there is information that indicates that those 
emails were exported outside the VA network. 

The value of them is unknown. What they did with those emails 
is unknown. But whenever you compromise a domain controller, es- 
sentially you own the enterprise. That’s the seriousness of it. 

Mr. Huelskamp. I appreciate that. You own access to 20 million 
records, plus that of their dependents. What was the VA response 
when you brought that to their attention? 

Mr. Bowman. It wasn’t formally communicated to me. I heard it 
in a meeting that was discussed between the NSOC. And they 
probably were unaware I was listening in, but that is just what I 
heard, just by observing some of these meetings and VA describing 
these events. 

Mr. Huelskamp. And this is very shocking, Mr. Chairman. I 
know we have a letter in front of us from a very high-ranking offi- 
cial at the VA that says, quote, “VA’s security posture was never 
at risk.” Was never at risk. And that’s a quote from a high-ranking 
official. And I would guess that perhaps they used email to put this 
together. Can you imagine the thought that the folks that were 
hacking the system were actually reading this email as they were 
exporting 20 million private records. And you indicated we do have 
evidence potentially of external state-sponsored espionage that 
might be occurring to the VA. One of you had indicated that was 
a possibility? 

Mr. Bowman. That’s my understanding. 

Mr. Huelskamp. Okay. And did you bring this to the VA’s atten- 
tion and what was their response? 

Mr. Bowman. We haven’t. With the FISMA work, we haven’t 
specifically addressed that issue. We do get into incident handling 
and monitoring. And we identify every year there are network con- 
nections that aren’t being monitored by VA. So the risk is that you 
could have systems compromised, data being transmitted exter- 
nally, and VA could be unaware of it. 

Mr. Huelskamp. They could be unaware that the information is 
actually leaving. And if asked, they could potentially, even under 
oath say we know of no such transmission, which if I understand 
correctly might absolutely be true and would suggest obviously 
when you’ve given up control of the system like you indicated you 
would have actually no idea of the threat then? 

Mr. Bowman. That’s correct. 

Ms. Halliday. Sir, one of the things that we do as part of our 
oversight is gain an understanding of what is happening in the VA 
environment, and then we send information to our contractor who 
is doing the actual FISMA assessment to put the right work steps 
in place to do full evaluations, to understand and properly assess 
the risks. That’s all happening as part of the FISMA process. 

Mr. Huelskamp. And I appreciate your work. You have a very 
difficult task of identifying the problems and hopefully providing 
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some solutions, but it is up to the VA, maybe after 10 years, to fi- 
nally implement some of those. 

The latest thing I see in your report is an incident from March 
2013 in which sensitive, private, perhaps medical and personal 
data was transmitted over an unencrypted telecommunications car- 
rier network. Can you tell me what happened when that personal 
data was transmitted unencrypted? Apparently VA did not know 
they were doing that. What’s their response? You indicate that the 
management acknowledged this practice and formally accepted the 
security risk. Did they identify who was at risk, how they were at 
risk, and did they close this security gap? 

Mr. Bowman. Yes, we received a hotline complaint discussing the 
transmission of unencrypted data between the medical centers and 
the community-based outpatient clinics using unencrypted proto- 
cols over a telecommunication carrier network. We went and dis- 
cussed with the network engineers and various levels with VA, and 
they admitted that this is a common practice. 

Mr. Huelskamp. They admitted this is a common practice. 

Mr. Bowman. It is a common practice. But a mitigating factor is, 
is they logically segment that traffic from other customer traffic. 
The downside of that is it still needs to be encrypted, and there are 
technological solutions that can encrypt that traffic when it is out- 
side of VA’s span of control. Now, VA responded to that report by 
saying they plan to implement encryption controls, so that will im- 
prove that risk of losing that data as it leaves VA’s span of control. 

Mr. Huelskamp. I’m sorry, Mr. Chairman, one last question. 

So they planned. Do you know if they actually have implemented 
the encryption to protect sensitive data? 

Mr. Bowman. My understanding is that edge router encryption 
controls have not been implemented yet. 

Mr. Huelskamp. I yield back, Mr. Chairman. 

Mr. Coffman. Ms. Walorski for 5 minutes. 

Mrs. Walorski. Thank you, Mr. Chairman. 

I appreciate the report, I appreciate the information. I will tell 
you, when I was in the Indiana House, we did hold companies re- 
sponsible for these massive breaches of identify theft, especially 
when a Social Security number was in the breach. And so we did 
have legislation and we still do, and I think 17 or 18 other States 
now have it as well, holding private companies responsible, and if 
there’s a breach that the buck does stop with them for immediate 
information sharing, in some cases freezing credit reports. 

So my first question is on this information as it is leaked to a 
veteran in my district, say their Social Security number was 
accessed, are any of those Social Security numbers redacted or is 
this just free-flowing raw data that’s going out the door? 

Mr. Bowman. Well, we don’t have knowledge of any specific cases 
of data loss, other than the 2006 example, and in those cases VA 
is responsible for providing credit reporting services to the veterans 
who may have been harmed by this. But what we try to indicate, 
is that using unencrypted protocols, the risks remain, that the po- 
tential is there, and that VA needs to implement these proactive 
controls so these type of events do not occur going forward. 

Mrs. Walorski. But in light of the answers to the various ques- 
tions up here, there obviously has been more than just one incident 
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in 2006 when that information has heen available. And so, you 
know, I think about this in my district. I have 52,000 veterans in 
my district and then their extended families, and I’m thinking, you 
know, if this happened in the private sector, automatically this 
would have triggered — just the suspicion and the not knowing 
would have triggered an automatic credit freeze to the people that 
would be living in my district. 

So I’m looking at this from the standpoint of saying, you know, 
sending out an APB when I get out of here that says to the 52,000 
vets in my district, better check your credit report because we have 
no idea that your information has not been breached, and to contin- 
ually check that. And as we continue to tell people to go access 
their VSOs and go access their facilities because there’s a long wait 
and the things we deal with on the veteran side, is how at risk 
they are with sharing that information in today’s day with these 
violations. 

In the private sector, this type of an entity would never survive. 
The lawsuits that would come would shut them down because of 
private information being at risk and being taken and nobody re- 
sponsible. So it is absolutely baffling to me that in addition to some 
of the other things that we have heard in this report, that the buck 
stops with the CIO, and we have had nothing but turnover, as 
you’ve reported, in this entity of this area of the VA to begin with. 
Has anybody ever been disciplined based upon the findings of your 
reports? 

Ms. Halliday. We can only make a recommendation. It is up to 
the Department to take the administrative action. That’s the extent 
of our authority. 

Mrs. Walorski. Have any of your recommendations involved 
issues of employees or incompetence or training or things actually 
for the people who are actually working there taking this informa- 
tion? 

Ms. Halliday. Yes, I would say several, especially with our ad- 
ministrative investigations. It’s looking at very specific personal ac- 
countability for actions. 

Mrs. Walorski. And are you asking specifically that supervisors 
and managers and CIOs and these kind of people that have been 
in charge, where the buck stops with this information, that they be 
disciplined, if not terminated? 

Ms. Halliday. We make a recommendation for appropriate ad- 
ministrative action and then generally give a discussion with 
that — 

Mrs. Walorski. And is the appropriate action usually termi- 
nation? I’m not familiar with the protocol. What is the appropriate 
action on something like this large of a risk to this many people? 

Ms. Halliday. You would have to look at the severity of the inci- 
dent, determine the exposure, determine what the accountability 
was. Was there intent? Was this a mistake that they may not have 
been able to prevent? And then when you do that, you apply the 
Douglas factors for discipline actions in the Federal Government? 

Mrs. Walorski. But my understanding would be, in the last 10 
years, based upon the previous questioning, that the 40 or so out- 
standing compliance issues that you have advocated that they fol- 
low, had those been followed in the last couple of years, we would 



17 


have remedied this situation. So there has to be some kind of ac- 
countability still, and disciplinary actions, and the buck stops 
someplace with this staff, correct? 

Ms. Halliday. We absolutely think the Department should have 
implemented many of the FISMA recommendations and tightened 
controls early, and they would have less security incidents. 

Mrs. Walorski. Thank you. 

Thank you, Mr. Chairman. I yield back. 

Mr. Coffman. Thank you, panel. I appreciate your testimony. 
You are now excused. 

I now invite the second panel to the witness table. 

On this panel, we will hear from Mr. Stephen Warren, Acting As- 
sistant Secretary for Information and Technology at the Depart- 
ment of Veterans Affairs. Accompanying Mr. Warren is Mr. Stan 
Lowe, Deputy Assistant Secretary for Information Security from 
the Office of Information and Technology at the Department of Vet- 
erans Affairs. 

Before I recognize the panel, I ask that you please rise and raise 
your right hand. 

[Witness sworn.] 

Mr. Coffman. You may be seated. 

Mr. Warren, you are now recognized for 5 minutes. 

TESTIMONY OF STEPHEN W. WARREN, ACTING ASSISTANT 

SECRETARY FOR INFORMATION AND TECHNOLOGY, U.S. DE- 
PARTMENT OF VETERANS AFFAIRS, ACCOMPANIED BY STAN 

LOWE, DEPUTY ASSISTANT SECRETARY FOR INFORMATION 

SECURITY, OFFICE OF INFORMATION AND TECHNOLOGY, 

U.S. DEPARTMENT OF VETERANS AFFAIRS 

Mr. Warren. Chairman Coffman, Ranking Member Kirkpatrick, 
Members of the Subcommittee, thank you for inviting me to testify 
regarding the Department of Veterans Affairs Information Tech- 
nology Security Program. Accompanying me today is Mr. Stanley 
Lowe, Deputy Assistant Secretary for Information Security. 

There is no higher priority than protecting the data that VA 
holds on our Nation’s veterans. I, as well as the many IT employees 
at VA — over 56 percent are veterans themselves — take this respon- 
sibility very seriously. 

As the Committee knows, the Department received a wake-up 
call from the stolen laptop incident in 2006. As a result, the VA 
consolidated its disparate IT functions into a single, unified IT or- 
ganization. VA’s consolidated IT organization is responsible for pro- 
viding the tools, services, and systems that are necessary to protect 
veterans’ information at 153 hospitals, 853 community-based out- 
patient clinics, 57 benefit processing offices, and over 160 ceme- 
teries or memorial cites. Our network supports over 400,000 users 
and over 750,000 individual devices. We are committed to pro- 
tecting the information we hold on millions of veterans, their bene- 
ficiaries, and more than 300,000 VA employees. 

As we all know, IT security threats continue to evolve. To that 
end, we have implemented our continuous monitoring program, 
which continuously checks all IT systems and monitors every de- 
vice attached to the VA network. VA launched the Continuous 
Readiness in Information Security Program, or CRISP, in 2012 to 
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proactively address process and policy deficiencies, as well as archi- 
tecture and configuration issues. 

As part of the CRISP effort, the VA conducts rigorous vulner- 
ability scanning, continuous monitoring of patching and software 
inventory, implementing port security, anti-virus services, and 
encryption of nonmedical IT desktops and laptops. 

Through Web Application Security Assessments, VA is able to 
identify critical vulnerabilities and potential exploits in VA sys- 
tems. We protect the network infrastructure by identifying all net- 
work assets, critical database stores, all external connections, and 
provide the Trusted Internet Connection Gateways services. 

In the past year, VA has measurably improved its security. The 
Department has ensured that over 98 percent of VA staff have re- 
ceived the mandatory security training they need to protect the in- 
formation of veterans and their families. Only staff turnover pre- 
vents us from reaching 100 percent. 

After the 2006 incident, VA worked to ensure its laptop com- 
puters were encrypted to provide another layer of protection. Cur- 
rently, over 98 percent of VA’s nonmedical IT laptops are 
encrypted. The Department aims to complete the encryption of the 
final 2 percent by June 30. 

VA has a robust data breach notification process using a Data 
Breach Core Team. When the team determines that a potential 
breach may have occurred, they notify affected individuals and 
offer credit monitoring. VA also posts a monthly report of data 
breach notification on its Web site, and this report is provided to 
Congress, in addition to the required quarterly data breach report. 

VA has become one of the very best large organizations of pro- 
viding notification if a potential breach occurred. This law requires 
notification within 60 days. A review of VA’s incident tracking sys- 
tem over the current fiscal year indicates that VA takes, on aver- 
age, 25 days to provide notice. VA’s standards and practices exceed 
even the strictest Federal, State laws and policies. 

I would like to update you on our progress to extend VA’s author- 
ity to operate, or ATOs. Before giving you this update, I would like 
to assure the Committee in the strongest terms that at no time was 
veterans’ data placed at risk by this process. The signing of an 
ATO represents the final step in what is otherwise a continual 
process of security and management reviews. 

As the Committee is aware, VA has been working to extend near- 
ly 600 ATOs over the last several months. We have worked to as- 
sure that requirements for each ATO are properly conducted and 
documented. VA trusts the ATO validation process and the work of 
the information security officers, facility CIOs, and system owners 
to ensure system security. This paper-based process validates that 
critical steps are being taken to protect our veterans’ data. 

Mr. Chairman, VA places the highest priority on safeguarding 
veterans’ and employees’ personnel information. We are committed 
to information security. And although work remains, VA has made 
significant improvements in the last few years and strives to meet 
those highest standards in protecting our Nation’s veterans’ sen- 
sitive information. 

Thank you for your continued support of veterans, their families, 
and our efforts to protect veterans and their information. I am pre- 
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pared to answer any questions by the Ranking Member, the Chair- 
man, or the Members. 

[The prepared statement of Stephen W. Warren appears in 
THE Appendix] 

Mr. Coffman. Mr. Warren, given your knowledge of visitors in 
the network since 2010, and understanding that there were signifi- 
cant security weaknesses, why would you insist on conveying the 
message that veteran data is not at risk? 

Mr. Warren. Thank you. Chairman. I think that that actually 
is a great question to ask within the construct of information pro- 
tection. 

I think it’s very important to note that my partners in the In- 
spector General’s Office used words such as could, might, potential, 
possible, is possible. When an audit takes place, when a review 
takes place, the focus is on what could happen. But remember, the 
existence of a risk is not the same as the removal of information 
out of the network. 

Several things need to exist. What needs to exist is the potential, 
and we try to drive those down as quick as we can. There needs 
to be an actor who has access and the ability to get to where that 
risk is. They need to be able to do that in such a way that they 
are not seen, and then they need to be able to move the informa- 
tion out of the network through all the sensors and past the gate- 
way, as well as past our partners in DHS who are watching outside 
our gateway, and then remove it. So the piece we need to be very 
careful of is, we’re talking about potentials, we’re not talking about 
actuals. And so the — 

Mr. Coffman. I’m sorry. How do you define the difference be- 
tween an actual and a potential? And I’m looking at an internal re- 
port on August 15, 2012, and it talks about an actual — at least it 
talks about that the network was penetrated. So how do you define 
actual versus potential? 

Mr. Warren. Sir, I don’t have that report in front of me. 

Mr. Coffman. Well, I’ll make it available to you. 

Mr. Warren. And I will gladly respond to the record, sir, in 
terms of that specific incident. 

Mr. Coffman. Sure. Okay. 

Mr. Coffman. Please define the difference between actual and 
potential. 

Mr. Warren. Potential is — and we’ll do as an example your home 
computer. So if you do not update your — 

Mr. Coffman. How about we just stick with the VA system. Let’s 
talk about that. 

Mr. Warren. Sure. We can talk about a desktop computer. Once 
a month Microsoft puts out a set of patches on Tuesdays. So every 
Tuesday, once a month, the first Tuesday Microsoft sends out a full 
set of patches. If we do not incorporate those patches into the sys- 
tem, the potential for somebody going to a Web site and the poten- 
tial being exploited goes up. But the VA has a very aggressive pro- 
gram to make sure those desktop patches happen once a month as 
Microsoft puts it out. So if you don’t do them and you don’t do it 
over multiple months, the potential for the desktop to be com- 
promised and the system itself to be compromised goes up. 
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Mr. Coffman. It’s my understanding you have not instituted all 
the patches in the VA system. Is that correct? 

Mr. Warren. I’m sorry, I missed the first part. 

Mr. Coffman. That you have not instituted all of the patches 
prescribed for the VA system. 

Mr. Warren. I would tell you, Mr. Chairman, that we have a 
very aggressive program to make sure the desktop computers are 
patched. 

Mr. COFEMAN. You’re not answering my question. 

Mr. Warren. The intent is not — 

Mr. CoEEMAN. To the VA system. Is it true that not all the 
patches have been applied as prescribed in the VA system? In the 
information network. 

Mr. Warren. Sir, there are about 750,000 devices in the net- 
work. So if you’re asking does every single one of those devices 
have every single one of the patches that their manufacturers put 
out, the answer would be no because there are multiple times when 
that patch will actually break the application that you need to use, 
and therefore there is a waiver in place that says you don’t patch 
that system because not working is actually worse than a potential 
risk within an environment which is — 

Mr. COFEMAN. Mr. Warren, why did you not previously disclose 
to the Committee that VA has had serious and continuous com- 
promises of systems and data by nation-state sponsored actors? 

Mr. Warren. With all due respect, I do not believe it is a true 
statement, as you laid it out, that the VA has been continually 
compromised by foreign nation states. We have a strong partner- 
ship with Homeland Security, which watches the boundary for the 
Department. 

Mr. CoEFMAN. Mr. Warren, has a foreign entity targeted and 
penetrated our network? 

Mr. Warren. I am aware of a single incident that our network 
operation center identified. 

Mr. CoFEMAN. And when was that? 

Mr. Warren. It was last year. I will need to get back for the 
record in terms of the specific date. 

Mr. Coffman. Very well. And I will make this internal document 
available to you. And I think you can be informed that there actu- 
ally have been quite a few breaches. 

Ranking Member Kirkpatrick. 

Mrs. Kirkpatrick. Thank you, Mr. Chairman. I’d like to follow 
that line of questioning. 

Mr. Warren, if a system is compromised, would you know? Or is 
it possible for it to be compromised and you to not know? 

Mr. Warren. I would tell you, with the controls that we emplace, 
with continuous monitoring, as well as the work that we do at our 
boundaries with Homeland Security and our NSOC, the probability 
of somebody being in the network and compromising a system 
without us knowing it is very, very low. But I can’t argue the abso- 
lute. 

Mrs. Kirkpatrick. Can you provide for the Committee how many 
times the system has been hacked since the beginning of this year? 

Mr. Warren. I will gladly provide that for the record. 
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Mrs. Kirkpatrick. Thank you. Was it your testimony that it 
takes you 25 days to notify the veteran that their personal informa- 
tion may have heen compromised? 

Mr. Warren. Yes, ma’am. If I could expand on that. 

Mrs. Kirkpatrick. Would you expand on that, because that real- 
ly concerns me. In 25 days everything could he wiped out for that 
person. 

Mr. Warren. Certainly, ma’am. What happens is as soon as — 
and VA has a 1-hour reporting requirement — as soon as an em- 
ployee believes the potential of something happening, they’re sup- 
posed to notify our NSOC, and it is part of the reporting we do. 
At that point, we pull the team together and we ask the question: 
What and why? Is it real? And if it turns out we have an issue, 
the Data Breach Team — which meets once a week, which is made 
up of career staff who are outside the chain of command — they do 
the analysis of that potential breach and they determine if the po- 
tential was high enough that data had left. And normally, if there 
is just a little potential, the Department goes ahead and reaches 
out to all of those veterans with credit monitoring for a year. And 
the 25-day period is the time for the notification to the NSOC, the 
establishment of the team, the analysis of the data to make sure 
what was reported was actual. And in many cases — in fact, in most 
cases — it’s the potential that is reported, and we reach out to vet- 
erans anyway and we offer that credit reporting. 

Mrs. I^RKPATRICK. How many times have you had to notify vet- 
erans within the last year? 

Mr. Warren. Ma’am, I will get you that for the record in terms 
of the number of times that we notified veterans and offered credit 
reporting as a result of a potential data breach. 

Mrs. Kirkpatrick. Thank you. And was it also your testimony 
that by June 30 of this year your system will be encrypted? 

Mr. Warren. Actually, my testimony, ma’am, was that for all 
nonmedical IT laptops. So the ones that are under my responsi- 
bility, we will have the last of those enciypted. 

Mrs. Kirkpatrick. But the medical laptops will not be 
encrypted? 

Mr. Warren. No, ma’am. And, Ranking Member, the difficulty 
we have with medical devices is they’re constrained by their certifi- 
cation from the FDA. And the concern is by putting encryption on 
that laptop, a medical device that has a laptop in it, you will actu- 
ally impede the ability of that medical device to do its job. 

And so we’ve had lots of conversations with the FDA to figure 
out how you can do that. But when a device is certified that has 
a medical device in it, the condition of the device at the time of cer- 
tification constrains what you can do afterwards. And so to handle 
that, we actually have a separate area, an isolated area in the VA 
network where we put those medical devices that are based on IT 
equipment. And we also go further by working with our partners 
in VHA where we start testing those devices to see if there is an 
impact to its job in terms of delivering care, or if we impact their 
certification boundary. And in cases where it isn’t — and there is a 
tool called bar-code medication, which is what the nurses move 
through the wards — we are able to show that there was no impact, 
those medical device laptops are now encrypted. And so we work 
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our way through that with our partners in the health administra- 
tion and the biomed folks. 

Mrs. Kirkpatrick. I have one last question. Are you familiar 
with or have you heard the Inspector General talk about the fact 
there has been excessive turnover in key leadership positions and 
there’s a lack of human resources in the IT departments? Do you 
agree with that statement? 

Mr. Warren. I would tell you that an organization going through 
transformation is a difficult place to work because everything is 
moving around you. And so we have had transition of staff. We’ve 
had transition of staff going out and coming in. This year, I believe 
I am 100 folks below my ceiling of about 8,500 individuals. 

Mrs. Kirkpatrick. Do you have a strategy to address that so you 
have adequate human resources? 

Mr. Warren. We do active recruiting. We work with the HR or- 
ganization to figure out how do I do pools so I can make sure I’ve 
got project managers lined up, to make sure I have individuals 
lined up to bring them in. 

We also have a very strong focus on veterans. As an example, 
last year, 75 percent of my new hires were veterans, because that’s 
very important to me, as a veteran, to make sure we’re bringing 
our clients, if you will, into the organization to help us do a better 
job. 

Mrs. Kirkpatrick. Thank you, Mr. Warren. I yield back. 

Mr. Coffman. Mr. Warren, please be reminded that during the 
course of this oversight hearing and Committee investigation, it is 
a Federal crime, pursuant to 18 United States Code section 1001, 
in pertinent part, knowingly and willfully to falsify, conceal, or 
cover up a material fact, or to make any materially false, fictitious 
or fraudulent statement. 

Mr. Lamborn, you have 5 minutes. 

Mr. Lamborn. Thank you, Mr. Chairman. 

Mr. Warren, members of the previous panel testified under oath 
that foreign state actors have accessed sensitive information of vet- 
erans within the last 2 years and that the VA does not know how 
much information was stolen. Would you agree with that state- 
ment? 

Mr. Warren. I would say. Congressman Lamborn, there is that 
potential. I would tell you that, working with our partners at 
Homeland Security in terms of where they watch our gateway — so 
it’s not just the VA connected to the world and everything happens, 
we have Homeland Security, if you will, at the gate. So I have our 
team on our side and Homeland Security on the other side. And be- 
tween the two of us, we watch all the traffic going back and forth. 

So the ability of material to move, yes, there is always a poten- 
tial. We referred to a particular incident that the Inspector General 
talked about. I was aware of that incident. So I would tell you that 
one, we know happened. With the other ones, it’s still the potential 
and the probable, in terms of — 

Mr. Lamborn. And of the one that you will admit has happened, 
we don’t know how much information was taken because it was 
encrypted before being exported. Isn’t that correct? So we don’t 
know how little or how much the data was that was stolen? 
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Mr. Warren. Sir, my recollection of that report — and what I’d 
like to do is go back and review that report to give you the answer 
in terms of what came out and what the report was able to tell us 
given the conditions that existed. 

Mr. Lamborn. What kind of dependent information is put into 
some veterans’ files? 

Mr. Warren. I would tell you, Congressman Lamborn, the vet- 
eran files are held in many locations in the VA, in many systems, 
whether in the electronic health record or whether in the new — 
used as part of the new VBMS system, as well as all the other sys- 
tems. So the information necessary to provide benefits or services 
is what we — 

Mr. Lamborn. So it can include the names and Social Security 
numbers of dependents. 

Mr. Warren. If that’s required as part of the claim or service 
process, sir. 

Mr. Lamborn. Another problem I have is — and this happened to 
me recently. I got a credit card in the mail. It turns out that my 
credit card issuer had been compromised, so everyone had to get 
a new credit card. And we had to go back and change the numbers 
on all our accounts. It was a big hassle. Fortunately, nothing was 
stolen that I know of But what happens when a Social Security 
number is stolen? You can’t replace that. I mean, we’re talking 
about something really serious here. Are you aware of how serious 
this is? 

Mr. Warren. Congressman Lamborn, we take any potential inci- 
dent and any incident very seriously. I take it personally. It’s one 
of the reasons why the VA offers credit monitoring. So even when 
there is a potential, we reach out to the veteran and we offer them 
that credit monitoring for a year. We also have a 1-800 number 
that we’ve made available to veterans if they have any questions 
so that they can reach out to us if by chance something does hap- 
pen, so we can help them, walk them through that process. 

Mr. Lamborn. You said earlier that we place the highest priority 
on protecting this information, and yet members of the OIG indi- 
cated that for more than 10 consecutive years, independent public 
accounting firms under contract with OIG have identified informa- 
tion technology security controls in the VA as a material weakness. 
How can that condition have persisted for 10 years if that’s your 
highest priority? 

Mr. Warren. Congressman Lamborn, thank you for that ques- 
tion. I would tell you that material weakness is actually a financial 
term. It’s the same type of term used as part of Sarbanes-Oxley in 
terms of laying those financial controls on the organization. So the 
material weakness says there is a question about whether the fi- 
nancial data in the system is secure or not. 

So material weakness, yes. I will tell you that, as an organiza- 
tion, the Department wasn’t going, we’ve got a material weakness, 
move on. Every year we took the inputs — and I’ve only been with 
the VA for 7 of those 10 years — every year I’ve been there we took 
those inputs and we laid out what we needed to do. We laid the 
resources on it. We put focus on training. And I will tell you it 
wasn’t enough. And so 2 years ago, this major effort of doing 
CRISP, of taking the whole organization — not just the IT organiza- 



24 


tion, but taking the whole organization, because information pro- 
tection is not just an IT thing. 

Mr. Lamborn. Well, I’ll agree with one thing you’ve just said 
when you said it wasn’t enough. I certainly agree with that. 

And how do we know that there isn’t going to be some kind of 
document dump by a foreign actor, you know, WikiLeaks or some- 
thing like that? I mean, there are so many things — health care 
records. There is such sensitive information in health care records. 
So we’re not just talking about Social Security numbers, there’s 
health care records. We shouldn’t be here today, and I am sad that 
we are at this juncture right now. 

Mr. Chairman, I yield back. 

Mr. Coffman. Thank you, Mr. Lamborn. 

Mr. O’Rourke. 

Mr. O’Rourke. Thank you, Mr. Chairman. 

For Mr. Warren, I’m not as conversant in the details of these 
issues and the different systems and protocols involved as I would 
like to be, but I think it’s fair to say that the picture you paint of 
the VA’s IT system and the vulnerabilities is very different than 
the one that we just heard from, from Ms. Halliday. And I think 
you heard many of us say that what we heard presented was unac- 
ceptable in terms of the vulnerabilities, unacceptable in terms of 
the amount of time that the VA has known about those 
vulnerabilities without successfully addressing them, some con- 
cerns about when information was reported to this Committee and 
others in terms of breaches to the system and retrieval of informa- 
tion by foreign actors. 

Can you just, so in general terms that I can understand, address 
that discrepancy from what we just heard to what you’re pre- 
senting? You seem to be saying that things are generally under 
control. 

Mr. Warren. I would tell you the state of security and the work 
we need to do is something that I wrestle with all the time. Am 
I satisfied with where we are? No, I’m not. Can we do better in 
terms of fixing the things that our partners in the IG and the audit 
community have identified? Yes. And we are dedicated to doing 
that. 

But the difference that you are hearing from myself versus the 
audit community is, they have to deal with potential: Is there a 
chance? Is there any opportunity for something like that to hap- 
pen? And the answer will always be yes. It will always be yes, that 
there is a potential. So if you ever ask me, or even if you ask me 
today, can I guarantee that everything is perfect and wonderful? I 
could not give you that guarantee because it’s constantly changing, 
the technology constantly changes. 

So my focus is more of a very pragmatic operational person 
whose job is to try and make sure we continue to deliver those ben- 
efits and services in a way that has the least risk, the one that 
does not put our veterans’ information at risk while we do that. 
And again, is it where I want it to be? No. Do we continue to drive 
on getting it to where we need to be? Yes. 

Mr. O’Rourke. In terms of the 32 recommended steps that need 
to be implemented — and I asked the IG’s Office about what the 
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timeframe would be to implement those — do you agree that it’s a 
12-to- 18-month implementation timeframe? 

Mr. Warren. Yes, sir. And in fact, when the report gets pub- 
lished, you will find there is a departmental response. And it actu- 
ally lays out what it is that we have in place and what we are 
going to do. And I believe the latest date I have when I signed out 
that document with all the different organizations was September 
2014 for some of the longer items. And I believe that fits within 
that 12-to- 18-month period. 

But there are many things that are happening now. We have 
some significant things coming online at the end of August. There 
are things taking place between now and August. But the longer, 
harder ones take that extra time to get there. 

Mr. O’Rourke. And so there are no fundamental differences be- 
tween your office and the IG’s report in terms of what they just de- 
scribed to us in their findings, their vulnerabilities, and the seri- 
ousness of those vulnerabilities and threats? 

Mr. Warren. I will tell you, there were many reports referred to 
in the prior panel. You will find that if you look at the report and 
you look in the appendix, the place where the Department did not 
agree with the findings, you will find a statement in there that 
says — again, we always thank our partners to come in. We see 
them as part of the team. They give us that outside view. But 
where we disagreed with what their observations were, we nor- 
mally state that in the document. 

So, given the Chairman’s reminder, I need to make sure that 
where the Department did not agree, we stated in the report. And 
we also state what it is we’re doing as a result of what they find 
and what our plan of actions are. And then we give a quarterly up- 
date to all of the things that we said we are going to do. And as 
the Acting Assistant Secretary, I sign off on every one of those 
quarterly reports in terms of what we said we were going to do, 
what did we do to ensure that we are responsive not only to what 
the Inspector General identified, but ensuring that we’re doing ev- 
erything we need to do to protect our veterans data. 

Mr. O’Rourke. Let me ask one more question. You’ve used the 
terms “possible,” “probable” and “actual” several times in response 
to our questions. A question I asked of the previous panel, can you 
tell us of an actual incident where, because of a security vulner- 
ability, private information from a veteran was retrieved by some- 
one to negatively impact that veteran, whether they stole their So- 
cial Security number or other personal data that was then used to 
harm that veteran? 

Mr. Warren. I am aware of several incidents, and I will describe 
one for you. It’s an individual who accessed — he was a system ad- 
ministrator — again, not foreign, but domestic — accessed the data- 
base and used the information to do identity theft. When identified, 
we refer those to the IG and they bring in criminal investigations. 
So, in that regard, there was an individual who breached the sys- 
tem. It is always referred to law enforcement. It is always referred 
to law enforcement. And then we provide credit monitoring, and we 
also work with the law enforcement folks to make sure that they 
have full access to do what they need to do. 
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So I will tell you, large organization, lots of people, there are 
going to be folks who do bad things. As we find them, we refer 
them to law enforcement for them to take action. And then we just 
keep, as a result of what we saw — what then do we do, right; how 
did that person get in there. So you will see there is a very strong 
personal accountability program the Department is bringing on- 
board to go ask the question, are we hiring the right people? Do 
they have the right credentials? Are there flags here on their per- 
sonnel records such that we really shouldn’t be putting them into 
a position of trust — not an IT thing, but the broader aspect of how 
you hire folks and how you make sure you’re bringing in the right 
folks. 

Mr. O’Rourke. Thank you. 

Thank you, Mr. Chairman. 

Mr. Coffman. Just real quick. When the OIG, in their report, 
said that your system got hacked by foreign actors, do you refute 
that as part of your response? 

Mr. Warren. So, again, I believe you’re referring to that August 
report. Let me just make sure what you’re referring to, Mr. Chair- 
man, if I can. I don’t have enough information to answer your ques- 
tion, sir. 

Mr. Coffman. So you’re not aware — in the OIG report, in their 
testimony, when they were up here, they referenced that your sys- 
tem got hacked by foreign actors. First of all, do you acknowledge 
that? 

Mr. Warren. I believe I already have in my testimony, Mr. 
Chairman. 

Mr. Coffman. Yes or no? 

Mr. Warren. Yes. 

Mr. Coffman. Very well. 

Dr. Poe for 5 minutes. 

Mr. Roe. Thank you, Mr. Chairman. 

And a couple of questions that Congressman Lamborn talked 
about. 

One of the reasons that, the way I understand this from listening 
this afternoon, that you might not know what information is going 
out is that the information that people were after was not 
encrypted. But on the way out the door it was encrypted, so you 
couldn’t read what was gone. So you could truthfully sit there and 
say we don’t know what’s been stolen because you really don’t 
know. And it should just have been the other way around; we 
should have had the data encrypted so that nobody could have got- 
ten a hold of it or done anything with it. Am I right or wrong with 
that? Did I misunderstand? 

Mr. Warren. No, Congressman Roe, you are actually laying it 
out appropriately. And again, with the report that we’re referring 
to, glad to do a private briefing to the Committee with the details 
because of some of the issues around it. 

I will tell you that the area where the individuals were, were in 
the email area, in terms of pulling emails out. The one compen- 
sating controller, the thing we do as well, is many of our emails 
are encrypted. So the reference to unencrypted is information in 
databases. This particular information — which I believe has been 
referred to — deals with folks who went after email packages. In 
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many cases, those are encrypted such that it would he difficult to 
read them. But again, because, as you rightfully pointed out, the 
data left the network encrypted, it’s hard to say yes or no what it 
was. 

Mr. Roe. I understand that now. And let me ask, would any of 
this other information, since you— do you cover the part of the VA 
involved in contracting? Is that data — not just personal informa- 
tion, hut is contract data? In other words, if I’m bidding on a 
project out here, would a foreign competitor know what that con- 
tract was? Because we certainly have seen that in other areas. Is 
that possible? 

Mr. Warren. Sir, I can’t refute the possible of any scenario in 
terms, again, there are no absolutes in information security. We 
strive to make sure there aren’t any — 

Mr. Roe. Let me stop you. I’ve heard that before. This August 
15th, there is an Office of Information Security, and you stated you 
heard — at least were known of one time that — I think that I under- 
stood this — that you had been hacked or pinged. March 10th and 
onward the DeepDive Analysis has been tracking activities of well- 
funded cyber-espionage teams that regularly target VA. Over the 
past 31 months, the DDA — that’s the Direct Dive Analysis — has 
identified eight of these teams as part of our threat program. Each 
team is assigned a name — I won’t go through that. Assigning a 
common nomenclature has allowed them to contribute each of their 
campaigns and see which one of them is the most effective. And it 
goes through how they were doing it. I’m sure you’re aware of that. 

Mr. Warren. Yes, sir. The key reporting and the fusion tech- 
nology team — so the individual whose report you’re reading from — 
is an initiative that I started in terms of asking folks to go out and 
start pulling data and understand what was going on. What I think 
what you will see — 

Mr. Roe. Help clear me up because you said you only heard of 
one — you only knew of one incident, and yet you started this, which 
there are eight different teams that are looking. And it appears 
from this information we have — which it makes sense that they 
most like to hack us during holiday times, which makes sense, your 
defenses are down. Thanksgiving, Christmas, those times when we 
would be less — our defenses are up less. 

Mr. Warren. I think what you’ll find, sir, if you read into that 
report, it’s targeting. So the report, again, it’s a very aggressive de- 
fensive policy in terms of through our network security folks is try- 
ing to identify where the threats are. Now, again, the August re- 
port we talked about, the specific instance where we saw the mate- 
rial leaving and some of the things that we did as a result of that, 
you will find there are reports like that that are published probably 
a couple times a month from the fusion team saying this is what 
we’re tracking, this is what we’re monitoring, this is what we’re 
doing about it. 

Mr. Roe. But you wouldn’t be tracking those if they weren’t ac- 
tive. 

Mr. Warren. Sir, there are things known as honey pots, black 
holes, where the individual may try to come in. And what you do 
is you set up your perimeter so it looks like they’re actually getting 
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into data, but they’re not. You’re actually tracking and capturing 
them. 

The other piece, if I could, is there are actors you see inside, but 
you also set it up on the outside, where if they are trying to send 
data out, you basically put a trash can where the data goes versus 
leaving the Department. 

Mr. Roe. I have some more questions on that to see how many 
times that has happened. There is a note here I have that says 
over 400,000 systems in VA’s network do not even have a basic se- 
curity baseline installed. Is that correct or incorrect? 

Mr. Warren. Sir, I would need to basically validate where that 
report is coming from, and I will take that for the record. 

Mr. Roe. And lastly, just one quick question: Who are the state- 
sponsored actors that we’re dealing with? You haven’t called any 
names, but who are they? 

Mr. Warren. I would tell you, sir, that my preference is to do 
that in a closed session; otherwise I would put my clearance at 
risk, as well as the fines and penalties. 

Mr. Roe. That’s fine. That’s fine. I yield back. 

Mr. Coffman. Mr. Walz for 5 minutes, please. 

Mr. Walz. Thank you. Chairman. 

Thank you, Mr. Warren. 

Your data is on those computers too, correct, as a veteran? 

Mr. Warren. Yes, it is, sir. 

Mr. Walz. Okay. And you were over at FTC and DOE? 

Mr. Warren. Yes, sir. I was at the Federal Trade Commission, 
where I did the national Do Not Call Registry, something I’m very 
proud of, as well as annual credit monitoring that you can get, and 
then at the Department of Energy with the Weapons Clean Up 
Program. 

Mr. Walz. How does your knowledge over there — does the cur- 
rent job you’re in correspond with you having a knowledge of those 
organizations and their ability to provide security over data? Be- 
cause I’m assuming both of those have very sensitive data, espe- 
cially DOE, in terms of state secrets and things like that. So is 
there a comparison there? Can you tell us how they function or 
how VA’s system is in terms of robustness compared to those? 

Mr. Warren. I would tell you, sir, we are all facing the same 
threats. And we all put the protections in place and we work with 
each other. In fact, we have a very aggressive outreach program 
with the folks in the other organization. And there is also a larger 
effort through the Federal CIO Council to learn from each other 
and use our best practices because we are all facing that threat 
today. 

Mr. Walz. I agree. And this is what I’m trying to get at. And I 
think the gentlewoman from Indiana brought up a good point. 
States are trying to tackle this as they go. And I’m looking 
through, there’s a Privacy Rights Organization Clearinghouse that, 
as we speak, in realtime is listing this: Health Information Trust 
of Frisco, Texas, 111 record compromised. A dentist in Rochester, 
New York, on June 3, theft of a laptop, 13,806 records. 

One, though, that comes in here — and I think it brings to the 
point of what we’re trying to get at — is Hampton Roads Health 
System, Newport News, Virginia, talked about employees accessing 
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information incorrectly. And it even notes in this that they were 
fired for that. And then of course there’s malicious content and all 
that. 

The point I’m trying to figure out here is, when you do this, is 
data security an all-or-nothing, zero-sum proposition? Is it an im- 
penetrable firewall, or it’s open access, or are decisions made in the 
business community as well as you that risk assessment and what 
is acceptable risk is in that? 

I’m assuming in the private sector now — and listening to Ms. 
Walorski brought up a very good point — is there is a huge market 
in identity theft insurance, data breach insurance on that. Those 
insurance underwriters must be drawing some guidelines on what 
is acceptable risk and what is not. Does that pertain to what you’re 
doing? Is the VA doing that very same risk analysis based on best 
practices of those underwriters? 

Mr. Warren. Yes, sir. We apply those same rules. It is baked 
into the standards that we follow. The National Institute of Stand- 
ards and Trust applies those to us. 

And to your question about, is there an all or nothing? I think 
our partners at DoD found out with WikiLeaks, in a secure system, 
you still could not guarantee the material would not — 

Mr. Walz. Well, what I guess I’m asking for is, is it worth — and 
I’m going to come to this question is: What’s the cost, have you fig- 
ured, to implement OIG’s recommendations? Is there a cost factor 
that takes into this? Say, for example, depending on where I’m at, 
versus a high crime versus a low crime neighborhood, I might not 
invest in the most robust security system, taking and thinking 
into — there hasn’t been a crime in my neighborhood in 75 years. 
Those are things that we work in. Now, if I always want to be ab- 
solutely sure, I could go to the top of the line every time and imple- 
ment that security. How do you view that at VA when you make 
those decisions? 

Mr. Warren. Sir, great question. Thank you for that question. 
We look at what the risk is. Is it something at the perimeter or is 
it something inside? Is the data inside something that has the 
highest level of need or something that is just transactional data? 
And the amount of resources we apply and the controls we put in 
place are actually tailored to the information that’s in the system 
and the potential risk. 

Mr. Walz. Does OIG take that into consideration when they put 
out their recommendations, that you are doing — what you’re telling 
me is, you are doing a risk analysis, a cost-benefit analysis. Is OIG 
asking or saying this is the ultimate perfect world, what it looks 
like in security? Are they factoring that in? 

Mr. Warren. I believe my partners in the Inspector General Of- 
fice are taking that into consideration. But I will tell you they’ve 
done a fair appraisal, in terms of the FISMA audit, of areas where 
we need to continue our attention and focus. And I will tell you the 
one thing that tells me that we’re on the right path is we did this 
massive program last year called CRISP, which was more than just 
IT, it was the leadership of the organization — the VHAs, the VBAs, 
the NCAs. So they got engaged from the senior levels of what do 
we need to secure the enterprise. And we are seeing the critical 
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things dealing with personal attitude by non-IT folks as well as IT 
folks is changing to where it needs to be. 

Mr. Walz. Well, if I heard that right, OIG did say they didn’t 
give an assessment based on it hasn’t run its whole course yet. So 
what your assessment is, is at the end of this, when you go back 
and look at what CRISP did, we’re going to see a change across the 
spectrum, culturally and robustness of security. 

Mr. Warren. Yes, sir. We are seeing that change. And I will tell 
you the change will need to continue from here on out because we 
know that threat evolves with our change. 

Mr. Walz. I’m going to use my last 25 seconds here. You’re not 
going to get the opportunity to do this, but following you, Mr. Davis 
is going to speak and there’s going to be some questions of how 
things came out or why they came out. Is there anything you’d like 
to address? I’m out of time here. You know the situation, the 
memorandum and how things are going to play out, and I think it’s 
only fair that you be able to respond. 

Mr. Warren. I would tell you, sir, I was perplexed by what hap- 
pened and how it went down. I was troubled by the fact that there 
are two memos in circulation, a memo dated 29 January that I and 
leadership received, and the one that we received from the Com- 
mittee that was signed on the 28th of January that we were not 
aware of the existence of it until Friday, when the Committee staff 
gave it to us. And the memos are almost identical except for one 
paragraph, and that paragraph says: “Clear and present danger.” 

I will tell you, if anyone tells me there’s a clear and present dan- 
ger, I pick them up and I walk them over to the IC and say, tell 
them what it is that I am missing here. I actually did that on the 
29th with the memo received. That memo I took to the IC. 

On Friday, when I learned of the existence of a second memo dif- 
ferent than the one the Department received, I took both of those 
memos and I reached to the IC and said, I need you to help me 
figure this out because I cannot figure out why the Department 
would get one memo with four paragraphs and the Committee 
would get a different memo with five paragraphs and the difference 
is “clear and present danger.” That was not communicated in the 
memo we received. And I’ll tell you, I am still perplexed on why 
that would exist. 

Mr. Walz. Mr. Chairman, I thank you for indulging the extra 
time. 

Mr. COFEMAN. Ms. Walorski for 5 minutes. 

Mrs. Walorski. Thank you, Mr. Chairman. 

Mr. Warren, can you guarantee that the veterans in my district, 
in Indiana’s Second District, have not suffered a security breach? 

Mr. Warren. Ma’am, I’d be lying to you if I made that guar- 
antee. Again, it is all about what the risks are. And we try our 
darnedest — in fact, we do more than try our darnedest. 

Mrs. Walorski. But you can’t guarantee that. 

Mr. Warren. I can’t — and in fact, nobody — if someone sat here 
and guaranteed, you should haul them out of here — 

Mrs. Walorski. All right. Do you personally, sir, do you person- 
ally feel responsible for the fact that we have a Nation of veterans 
that are vulnerable? 

Mr. Warren. I care deeply that we are not further — 



31 


Mrs. Walorski. Do you feel personally responsible, when you 
leave and check out at night and go home, do you feel responsible 
for the fact that there are various security breaches and our whole 
Nation’s veterans are at risk? 

Mr. Warren. Ma’am, I go home tired every night for all the 
things that I do. 

Mrs. Walorski. Do you feel responsible for all the things that we 
talked about here today? 

Mr. Warren. Ma’am, I’m personally responsible for the organiza- 
tion as the Acting CIO. 

Mrs. Walorski. Thank you. 

I yield back my time to Dr. Roe. 

Mr. Roe. Just a couple of questions, and maybe I got to this be- 
fore. But are the state actors, is that classified information? Be- 
cause I’ve seen published reports. I mean, we’ve just had the Chi- 
nese in every headline in the world here saying, oh, it’s not a big 
deal, it’s not a big. We know it’s a big deal. So who are the state 
actors? 

Mr. Warren. Sir, as a young lieutenant, one of the first briefings 
I got when I came onboard was that just because something is pub- 
lished in the press, if you receive a briefing that says it’s classified, 
until the classifying authority says it’s clear, it’s classified no mat- 
ter what you read. 

Mr. Roe. The briefings you’ve had, I mean, what you’ve got done 
right here, when you determine with what you’re doing that some- 
body is trying to breach your firewalls and get into data that’s in 
the VA system, that’s classified information, you can’t come here to 
this Committee and say, this is what happened? 

Mr. Warren. Sir, actually, you had asked me a different ques- 
tion, which was the naming of the actors. We work with Homeland 
Security on our boundary, so they are in constant communication 
with us. They are telling us when they see stuff. We are telling 
them when we see stuff. 

Mr. Roe. We want you to tell us when you see stuff. What’s the 
problem with that? I thought that we all work for the American 
people. 

Mr. Warren. As do I, sir. 

Mr. Roe. Well, I include you. I said we all. You, me, everybody 
in this room who’s here who’s a public servant works for the Amer- 
ican people. They have a right to know who’s trying to get into 
their personal information. I would like to know who’s trying to get 
into the veterans that I serve, the 70-something thousand of them 
that live in northeast Tennessee. 

Mr. Warren. Congressman Roe, we would be glad to come up 
and give you that private briefing with all of the material you 
would like. 

Mr. Roe. I guess my question is — second question is — why is that 
classified? Why wouldn’t that be public? When people are trying to 
steal from you, we ought to let the people in our country know 
who’s trying to steal our own veterans’ information, I think. I think 
that’s very important to be public. Why are we hiding that? And 
that’s above where you are, I understand that. But that’s a philo- 
sophical question. 
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The next question is, is that, when we come back a year from 
now — I’ve been here now 4-1/2 years, and I see problems that lin- 
ger on and on and on. Are we going to come back 1 year from now 
and have the same conversation? And I totally agree with you, Mr. 
Warren, when you were saying you couldn’t absolutely guarantee. 
I’ve had people come to me when I’m taking them to the operating 
room and say, will you guarantee that I’m going to live through the 
surgery? Well, I can’t guarantee that. I got that. I understand that. 
But with as good a system, can we say a year from now that the 
IG, in fact, who gave a very good report, you will have met those 
metrics that you agree with, and then you all work out if you don’t 
agree with them? 

Mr. Warren. Sir, I would like to take the 12 to 18 months the 
IG identified. But the intent is to clear as many of those as we can 
in the 12 months with the schedule we’ve given them, and to keep 
moving through those until we’ve cleared them all. 

Mr. Roe. I yield back. 

Mr. COFEMAN. Thank you, Mr. Chairman. 

Mr. Huelskamp. 

Mr. Huelskamp. Thank you, Mr. Chairman. 

Mr. Warren, the IG’s testimony outlined some pretty serious defi- 
ciencies in the Office of Information and Technology. And according 
to the evidence, VA’s network has been accessed by foreign state 
actors since March 2010. And in that fiscal year, and since then, 
you’ve received a grand total of more than $87,000 in bonuses. Can 
you explain how you merit such a large amount in bonuses? 

Mr. Warren. Sir, as you’re aware, the way the compensation sys- 
tem works in the Federal Government is a performance plan is laid 
on an employee, as in myself. A supervisor sits down and lays out 
what I expect from you in the year. And based upon how you do, 
there is an appraisal given. 

Mr. Huelskamp. So how you did was worthy of $87,000 in bo- 
nuses? Is that your understanding? 

Mr. Warren. I believe, as a result of me exceeding the perform- 
ance expectations that my leadership have laid on me, I was recog- 
nized with performance awards of that amount. 

Ms. Halliday. Okay. I’d like to ask a question as well, that you 
did state there were no absolutes in your mind in security. But we 
do have a letter here, a very absolute statement from your boss, 
the Secretary, that says, quote, “To be clear, VA’s security posture 
was never at risk.” 

Is that a true or false statement? 

Mr. Warren. I would tell you, sir, as the person who ghost wrote 
that memo, in terms of doing the staff work for the Secretary, I 
was not clear in my language and I take ownership of that. 

Mr. Huelskamp. Is it true or false? 

Mr. Warren. It is true with respect to the ATO process, which 
this memo was trying to answer. With respect to the broader ques- 
tion, as we’ve already talked about today, there always is some 
risk. And so again — 

Mr. Huelskamp. Is this a false statement then? 

Mr. Warren. I would not say it was a false statement, sir. 

Mr. Huelskamp. It’s an inadequate statement? A mistake? 
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Mr. Lowe, let me ask you a question: Have you ever brought to 
Mr. Warren’s attention that there are significant security issues 
that need to be addressed? 

Mr. Lowe. Congressman, thank you. 

Have I ever brought attention to Mr. Warren that there are sig- 
nificant security issues that need to be addressed? No, sir, I have 
not. 

Mr. Huelskamp. You have not? 

Mr. Lowe. I have not. 

Mr. Huelskamp. Usually, I try to anticipate an answer. And to 
anticipate an answer that in your job you have never identified a 
single security risk really strains credibility. Your own testimony. 

So you’ve never sent an email, never made a statement to Mr. 
Warren or his superiors that there are any security risks in the IT 
system at the VA? 

Mr. Lowe. I brief Mr. Warren and the Secretary frequently on 
security risks for the organization. 

Mr. Huelskamp. Do you know how many foreign state actors 
have been identified as perhaps intruding upon the system? 

Mr. Lowe. I know that there are foreign state actors that are — 

Mr. Huelskamp. Do you know how many have you identified? Is 
there one or more? 

Mr. Lowe. Individual state actors? 

Mr. Huelskamp. The Individual states. It’s a pretty clear ques- 
tion. 

Mr. Lowe. Yes, sir. 

Mr. Huelskamp. Have you identified more than one? 

Mr. Lowe. Yes, sir. 

Mr. Huelskamp. How many more? Mr. Warren said there was 
only one, in his earlier testimony. How many more were identified? 

Mr. Lowe. How many more state actors that are actively trying 
to penetrate the network or actors that have penetrated — 

Mr. Huelskamp. I’m guessing there will be a second round of 
questions, so it probably doesn’t help to try to stall. Would you an- 
swer the question? How many more? 

Mr. Lowe. Sir, I have been in this position for approximately 90 
days. I’m still trying to ascertain the state of the organization. 

Mr. Huelskamp. Have you seen any memos that would identify 
more than one? 

Mr. Lowe. More than one — 

Mr. Huelskamp. State actor. You believe there’s more than one. 
Mr. Warren stated there was only one. You believe there’s more 
than one. I am asking how many more? 

Mr. Lowe. I don’t know the answer off the top of my head, sir. 
If I could get back to you on the record, I would appreciate it. 

Mr. Huelskamp. Well, I will note for the Committee I’ve had a 
grand total of, I believe 23 questions. I’ve been waiting for 264 days 
for your agency to respond. As Dr. Roe mentioned, we’re supposed 
to be working for the American people. And when your agency, 
your bosses refuse to answer questions, it looks like you’re covering 
things up. When you say there’s one state actor, he says there’s 
more, he’s only been here for 90 days, we’ve got a report from the 
people that work for you, Mr. Warren — you know this report. You 
know there’s eight actors identified on here. And you claimed 
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there’s only one in your earlier testimony. I think that’s embar- 
rassing. It’s not only embarrassing, you’re sworn under oath. So I’m 
going to ask you one more time, how many state actors have you 
identified or believe are out there that have accessed the system 
for 20 million veterans and their dependents? 

Mr. Warren. Congressman Huelskamp, I believe that question is 
directed to myself? 

Mr. Huelskamp. Is your name Mr. Warren? Answer the ques- 
tion, please. Let’s get on with it. We’re doing the business of an- 
swering questions. Please answer them. I come from Kansas. We 
don’t go through all this trying to act like we don’t know what the 
question is. I asked your name. Answer the question. 

Mr. Warren. I would tell you that the Department, through the 
NSOC, is aware of multiple state actors who are trying to take ac- 
tion against the Department. 

And I will tell you it is more than just state actors. It is very 
known in the community that it is more than countries. There are 
syndicates who have this as a money-making activity. And I believe 
that’s also in the open press in terms of it’s not just countries, it’s 
individuals, it’s groups of individuals. And it is not just veteran 
data they’re going after, they go after your home, your home com- 
puter, Web sites you go to. And there is a very aggressive effort, 
and I know that Congress is engaged in terms of what’s notifica- 
tion, what you should notify, how we share, and how do we do all 
those things. 

Mr. Huelskamp. But you’re comfortable with the current secu- 
rity risk? 

Mr. Warren. I am not comfortable with the current security risk, 
sir. And again, I will tell you the safest computer is the one you 
don’t hook up to the Internet. 

Mr. Coffman. Mr. Huelskamp, we’ll do a second round. 

Mr. Huelskamp. Thank you, Mr. Chairman. 

Mr. Coffman. Mr. Warren, so we know that we’ve been hacked 
by a foreign actor, we know that, the VA system. We know that 
they encrypted their way out, exiting. So we don’t know what they 
took. We know that the system contains the personal identification 
information for about 20 million veterans. So isn’t it possible that 
they could have taken all of that — that there is an entity, having 
hacked our system, that has all the personal identifying informa- 
tion for all our 20 million veterans? Isn’t that correct? 

Mr. Warren. Sir, I am very concerned about stringing all those 
facts together and stating a causality. In other words, this, this, 
this, this means. 

Mr. Coffman. Well, okay, let’s walk through it then. 

Number one, our system has been hacked, correct? 

Mr. Warren. We are aware of incidents — 

Mr. Coffman. That’s right. Number two, that they encrypted — 
that they penetrated the system, and they encrypted on their way 
out, so we don’t know what files they took. Is that correct? 

Mr. Warren. In the incident referred to, there was data removed 
that was encrypted, yes, sir. 

Mr. Coffman. So we don’t know what files they took, correct? 

Mr. Warren. We do not know what files they took out of the VA. 
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Mr. Coffman. Had access to information pertaining to our 20 
million veterans, did they not? 

Mr. Warren. I would tell you, sir, that is the point where I di- 
verge, because it’s not clear where they had access, right. So you’re 
assuming the VA is a small place with one computer. 

Mr. Coffman. You’re right, we don’t know. That’s the problem. 
We don’t know. That’s right. And so the fact is that they had access 
to the 20 million veterans. Aren’t you concerned about that? 

Mr. Warren. Sir, I am concerned any time veterans’ data is put 
at risk. 

Mr. Coffman. Don’t you feel that the veterans of this country — 
I being one of them, and there are some other veterans on this 
Committee — ought to be warned of that fact? 

Mr. Warren. I believe you are accomplishing that through this 
hearing, sir. 

Mr. Coffman. Should you have accomplished that? 

Mr. Warren. To what end, sir? To drive veterans away from the 
health care they need, the mental health care they need? 

Mr. Coffman. To inform them that they need to watch out, the 
fact their — that the system had been compromised, just as any pri- 
vate entity that had been compromised would notify the consumers 
that they serve. You, in fact, had an obligation to notify the con- 
sumers that you serve. That’s the men and women that served this 
Nation in uniform. 

Mr. Warren. Yes, sir, as I did. And any time there is the poten- 
tial where we believe there is the potential of a breach, we offer 
credit monitoring — 

Mr. Coffman. There was a breach. 

Mr. Warren. We offer credit monitoring for a year. We have a 
hotline to provide those services to individuals. In the past, we 
have received emails from Homeland Security — 

Mr. Coffman. Ranking Member Kirkpatrick. 

Mrs. Kirkpatrick. I yield back. 

Mr. Coffman. Mr. Lamborn. 

Mr. Lamborn. Thank you, Mr. Chairman, and once again, thank 
you for your leadership on this issue. 

Mr. Warren, it was testified under oath by the previous panel 
that when you own the domain controls you own the network and 
that that is what happened at the VA. Would you agree with that 
statement? 

Mr. Warren. I would tell you, sir, that when you have the do- 
main controllers you can go where you would like. That is not nec- 
essarily the same as owning the network. Owning the network 
means you control what anybody does or anybody can do and 
where all the traffic goes. That is not the case. 

Mr. Lamborn. But if you are looking for information and you can 
go wherever you want to go, that is a pretty bad situation. 

Mr. Warren. As I believe I have — yes, sir. 

Mr. Lamborn. Can you tell me about the APO process, the cer- 
tification process? I hope I am using the right terminology. 

Mr. Warren. Yes, sir. The authority to operate process is some- 
thing that was established I think approximately in 2002 by the E- 
Gov Act. It was a paper process that was used, very routine eyes, 
very checklist focused, very document oriented, to if you are bring- 
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ing a system online, are you putting it in a box and controlling all 
of the boundaries on the box in such a way that it was worth the 
risk to the organization for the system to run. 

Mr. Lamborn. Okay, thank you. So if you go to a vendor or if 
you go to someone in the VA and say I want you to certify that ev- 
erything is working properly and is secure, how long would it nor- 
mally take them to do that? 

Mr. Warren. So that the ATO process is actually an ongoing 
process. Multiple documents are on different schedules on when 
they are generated and when they are updated. As an example, 
COOP/COG, which deals with what do you do if a system breaks, 
that gets checked and exercised on an annual basis, and in fact 
every year the IG comes in and looks at have you done that? That 
is a part of that. There is a system security plan which is the de- 
scription of it. There is the security controls in terms of what you 
are doing. There are the management controls in terms of what you 
put in place because technology can’t do it. And there is a whole 
list of documents that you run through. Each of those are on a dif- 
ferent schedule. So when you talk certifying, there are multiple 
steps in the process. 

Mr. Lamborn. Okay. What would be a normal range of high-end 
and low end of how long that certification would take? 

Mr. Warren. Sir, if you are referring to the last two steps, which 

1 take it you are, which is the individual looking at all of the mate- 
rial that exists and asking is it relevant and correct and then rec- 
ommending authorization, I believe you can do that in 2 weeks to 
30 days if you have a well-run organization. 

Mr. Lamborn. Two weeks to 30 days. 

Mr. Warren. For the last two steps of the process. As I said, all 
of the other ones are ongoing. Those last two steps are validating 
that the individuals below, the information security officer, the sys- 
tem owner, the facility, have actually done all the things and cer- 
tified, attested that all of the information is correct, that it is cur- 
rent. So that certification process is not a go do a lot of work. It 
is make sure all the folks below you, all the processes you are re- 
sponsible for, have happened. 

Mr. Lamborn. So if you accepted certifications like that in that 

2 weeks to 30 days or 2 months process, then you would also be 
trusting that everything before those last two steps had been ac- 
complished on an ongoing and regular basis? 

Mr. Warren. Yes, sir. You count on the signature of the indi- 
vidual and the attestation they have done their job. And I will tell 
you, when we did that first cycle, of the 268 documents that were 
signed, I rejected over 40 percent because when I looked at the un- 
derlying documentation, which is how I do things, it did not meet 
the standard and I sent them back to be redone. So the certifier 
said yep, it is ready, but when I did that first set, 44 percent did 
not meet it. 

Mr. Lamborn. So you would not accept an ATO without all of the 
previous steps having been done on an ongoing basis up to the last 
two steps and then reviewing it once again for those last two steps? 

Mr. Warren. Yes, sir. 

Mr. Lamborn. And you would not rush something through just 
to look good or something like that? 



37 


Mr. Warren. Sir, my signature means a heck of a lot to me, so 
when I sign something saying that I am accepting the risk, I am 
accepting that risk. So I believe I laid out a responsible time period 
for something to be done and I had an expectation that the indi- 
vidual would have done all the things necessary such that when it 
got to me that it needed to be done. And in fact the action was 
given in November in a meeting where the individual accepted the 
responsibility to do the job by February. It had been talked about 
prior to that in multiple meetings about the need to fix that proc- 
ess. I was expecting at the end of the process that all of the things 
they were responsible for had happened. And even though they 
were, I still checked and rejected the ones that did not meet the 
standard. 

Mr. Lamborn. All right. Thank you. 

Mr. Coffman. Mr. Warren, a quick question. Did you mislead 
the Secretary of Veterans Affairs when you had inserted the lan- 
guage in the letter that was sent to me on May 14th, “To be clear, 
VA security posture was never at risk.” Did you mislead the Sec- 
retary? 

Mr. Warren. Mr. Chairman, I did not intend to mislead the Sec- 
retary. 

Mr. Coffman. But you did? 

Mr. Warren. I don’t believe I did. 

Mr. Coffman. You did? 

Mr. Warren. I believe my answer was within the context of the 
question which was dealing with the ATO process. 

Mr. Coffman. Dr. Roe. 

Mr. Roe. Just very briefly. Mr. Warren, one of the things that 
is most important I think at the VA or with anyone in health care 
is trust. You have to trust not only the person that is seeing you, 
providing the care, but you have to trust that that information will 
be protected. Because many times it could be very embarrassing if 
something had occurred to you years ago that maybe current fam- 
ily members, other people don’t know about, right now the relation- 
ships you have had, issues that come along, mental health care 
issues. That is why it is so — not just money, but that is why that 
is important. 

And I guess a question that I have, and the VA has not done an 
exemplary job, in 2006 with the laptop it took forever to notify peo- 
ple. Secondly, when the issue came along with the colonoscopies, 
that wasn’t handled very well by the VA. And I don’t think that 
veterans right now understand, as a matter of fact I guarantee you 
they won’t until they see this hearing today and the word gets out 
among the veteran community that all of their personal informa- 
tion potentially is at risk. 

I guess the question I have for you is, are you concerned at all 
about your data in the VA, if you go to the VA, about your own 
personal information, you? 

Mr. Warren. Sir, I have no reservation about using VA benefits 
or services, placing the data, my data in the veterans’ hands, into 
my staffs hands, into the rest of the VA. I believe we would be 
doing a disservice to our veterans by telling them, hey, there is a 
disproportionate risk and therefore you should not be coming to the 
VA for those services or benefits. 
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We know health care, and as you have already talked about in 
other settings about mental health care and making sure our vet- 
erans get that, I would hate that this, the potential to drive folks 
away from the services and the benefits not only that they have 
earned but they need. 

Mr. Roe. But equally just as bad is to have that information once 
she have shared it with somebody, shared with the world, I think 
Mr. Lamborn said in a WikiLeak drop. I think the most compelling 
thing you said, and I have to agree with you the more I hear in 
these hearings I go to, is don’t hook up a computer to the Internet 
if you don’t want somebody to know about it. Apparently if you 
can’t protect it, I mean that is what you said just a minute ago, 
whether you said that just out of exasperation or fact, but I think 
when you hook it up, you may be now, you may be an open book. 

Mr. Warren. I would tell you, sir, and it is a great area where 
we focus and it is the training of our workforce, our greatest asset 
and our greatest risk is our employee base, because if you do some- 
thing without thinking, if you do not think about where you go — 
in other words, if you go out to the Internet and you say “free car,” 
and you go to that Web site to get that free car, you are actually 
downloading probably malicious software. 

Within the VA, we protect against that. But when you are at 
home, if you go to the wrong place or your child goes to the wrong 
place or a visiting sibling or niece, you are putting that computer 
at risk, right? And one of the programs that we have at the VA is, 
we don’t allow you to hook your personal commuter up to the VA. 
We actually allow you to come into the VA through a virtual envi- 
ronment so you don’t bring any of the things you have on your 
home computer. 

In fact, at the Federal Trade Commission before the virtual tech- 
nology had really matured, we paid for anti-virus protection for in- 
dividuals’ personal computer because we knew if they had to use 
it to get into the VA through remote or into the Federal Trade 
Commission. 

At the VA we don’t have to do that because we protect by doing 
virtual. But the behaviors that we build at the VA we want them 
to take home, because if you are at home dealing with identity 
theft because you did a bad thing unintentionally, you really can’t 
do your job at the VA as a result of it. 

Active aggressive education. Posters. Some of the things that we 
have been exploring with, and we did it at the Federal Trade Com- 
mission, is you do spooks, right? You send individuals email at 
work intentionally, bad stuff, right, and you want them to basically 
do it. And you pop up and say don’t do this for real, because this, 
if this had been a real one, you would have just compromised your 
system. 

Mr. Coffman. Mr. Walz. 

Mr. Walz. I yield back my time, Mr. Chairman. 

Mr. Coffman. Mr. Huelskamp. 

Mr. Huelskamp. Thank you, Mr. Chairman. I apologize for my 
emotion earlier. I have a 95-year-old veteran uncle, a Purple Heart 
recipient who is facing some medical problems and the thought 
that his records might be at risk is particularly worrisome to me. 
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But I have a few more follow-up questions for Mr. Warren and his 
assistant on some budget issues. 

If I understand correctly, the VA intends to transfer almost $69 
million to various IT efforts. Is any of that money destined for IT 
security? 

Mr. Warren. Sir, so I can make sure I am answering the ques- 
tion appropriately, is that referring to a reprogramming action that 
was sent up to the Hill, or is this something else? 

Mr. Huelskamp. That would be a reprogramming. 

Mr. Warren. This would be the reprogramming. I need to go 
back and confirm which accounts were being moved. I do not be- 
lieve — in fact, I am pretty sure that that transfer would not be de- 
grading any of the efforts we are doing in information security; 
that the work that we need to do to continue CRISP and to support 
the work on the material weakness that the IG has identified — 

Mr. Huelskamp. Is it enhancing your IT security efforts? 

Mr. Warren. I would tell you every day we are working on en- 
hancing our — 

Mr. Huelskamp. With this transfer, are you moving money to 
enhance the IT security? 

Mr. Warren. The primary purpose of those dollars, sir, that 
transfer, is to move accounts, move dollars out of different ac- 
counts — 

Mr. Huelskamp. Are you using it for enhancing IT security? Yes 
or no. 

Mr. Warren. I will need to go back and confirm if we are moving 
funds into the information security accounts. I can’t tell you that 
directly here, but I will get back to you, sir. 

Mr. Huelskamp. The second budget question would be, it is my 
understanding under your direction, the VA spent $14 million for 
a conference room, approximately $14 million for a conference room 
in Martinsburg, Virginia. Is that accurate? 

Mr. Warren. Sir, I would need to take that one for the record. 
The number I believe is high, but I need to go back and pull the 
records up to confirm. 

Mr. Huelskamp. When you say high, is that in the ballpark? 
Roughly? I appreciate getting the actual figures, but your best 
guess is how much was spent on this conference room? 

Mr. Warren. Sir, the reason I would like to take the question 
for the record is Martinsburg is a facility that has multiple con- 
ference facilities in it. It is a place where we have the NSOC in 
terms of our security group. So I don’t know if it is facilities we 
built for them. There is a location for the Secretary and the leader- 
ship team. I don’t know if it refers to that. We also have a com- 
mand post for the IT organization in case we deploy there. So I 
don’t know which one you are speaking to, so that is why I would 
like to take it for the record. 

Mr. Huelskamp. There is one here. It would be the one room 
that has a plaque on the wall with your name on it. And I don’t 
know if we have a copy of that. That would be the plaque that is 
on the wall. So if you are going to look for the room — is it cus- 
tomary in the VA to put your name on a plaque on a wall? 

Mr. Warren. Sir, that is actually the plaque to the building, and 
I was the responsible official that worked with the Congress to get 
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the funding for that location. And I believe if you look in any new 
building that has been built, the names of the individuals respon- 
sible normally appear on the plaque. 

Mr. Huelskamp. I would say actually say put about 300 million 
taxpayers on there as the ones responsible for the building. 

The last thing I want to ask you about, you mentioned credit 
monitoring services. 

Mr. Warren. Yes, sir. 

Mr. Huelskamp. Who do you provide those to? 

Mr. Warren. We provide those in any case where we believe 
there is the potential for the release of veterans data. 

Mr. Huelskamp. So you do that on an individual — 

Mr. Warren. On an individual basis. A letter is sent out to each 
of the veterans where — 

Mr. Huelskamp. Do you know how many you have provided this 
for? 

Mr. Warren. I will take that for the record and get it back to 
you, sir. 

Mr. Huelskamp. Okay. So you actually have identified individ- 
uals you believe their data is at risk and provided them credit mon- 
itoring services if they so choose? 

Mr. Warren. Any time we believe there is the potential of the 
information being released, we offer the credit monitoring protec- 
tion to those veterans. 

Mr. Huelskamp. Okay. And I understand you don’t believe any- 
thing is actual, you don’t have actually any loss of data. It is all 
potential. 

Mr. Warren. I will tell you, sir, we go the extra distance by of- 
fering that. We actually have a lower threshold for offering than 
anybody else because we want to be sure — 

Mr. Huelskamp. You know that how? 

Mr. Warren. Based upon our communication with the industry 
and conversations with folks who offer credit monitoring. I am not 
sure you will find other government agencies who offer credit moni- 
toring if there is the potential of a risk. I think the VA is unique 
in that regard. 

Mr. Huelskamp. I look forward to that information, the exact 
numbers of folks you have identified potentially at risk. 

Mr. Warren. Yes, sir. 

Mr. Huelskamp. Thank you, Mr. Chairman. I yield back. 

Mr. Coffman. Potentially, I think that number is about 20 mil- 
lion. Mr. Warren, thank you so much for your testimony today. Mr. 
Lowe, you are excused, both of you. Thank you. Stay around. I 
think if we have time we will do that classified setting after Mr. 
Davis gives testimony. 

On the last panel today is Mr. Jerry Davis, former Deputy As- 
sistant Secretary for Information Security for the Office of Informa- 
tion and Technology at the Department of Veterans Affairs. 

Before I recognize you, Mr. Davis, I ask that you please rise and 
raise your right hand. 

[Witness sworn.] 

Mr. Coffman. Please take your seat and you will be recognized 
for 5 minutes, Mr. Davis. 
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STATEMENT OF JERRY L. DAVIS, FORMER DEPUTY ASSISTANT 

SECRETARY FOR INFORMATION SECURITY, OFFICE OF IN- 
FORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF VET- 
ERANS AFFAIRS 

Mr. Davis. Chairman Coffman, Ranking Member Kirkpatrick, 
and Members of the Subcommittee, thank you for the opportunity 
to convey my concerns to you regarding the protection of informa- 
tion systems and information, which includes sensitive veteran 
data at the Department of Veterans Affairs. 

From August 2010 until February 2013 I have served as the Dep- 
uty Assistant Secretary Information Security and Chief Informa- 
tion Security Officer at the VA. As the DAS IS, I served as the 
most senior civil servant staff member within VA with responsi- 
bility for oversight and accountability and the protection of VA in- 
formation, VA privacy, records management, and the Freedom of 
Information, FOIA, Act process. 

At that time, the time of my departure from VA in early Feb- 
ruary 2013, I was one, if not the longest serving chief information 
security officer in the Federal Government, with nearly a decade of 
service in that role spread across multiple Federal agencies. I am 
also a Marine veteran, having served in combat with distinction 
during the first Gulf War, so the appointment to the position as the 
VA CISO had special meaning. It was a position that I did not take 
lightly and I was and I still am extremely proud to have had an 
opportunity to serve our country, and equally proud to have had an 
opportunity to serve the veteran community. 

My time at VA was largely filled with a great sense of pride be- 
cause of the purpose and mission of VA and because of my role, 
which had a direct and positive impact on the veteran community. 
However, there came a time at the end of my tenure where my 
pride turned to serious consternation, and that consternation re- 
mains to this day. 

In nearly 20 years of building and managing security programs 
across government and private industry, I have never seen an orga- 
nization with as many unintended security vulnerabilities. Upon 
my arrival in late August 2010, I inherited results of more than 15 
continuous years of an unintended and documented material weak- 
ness in IT security controls. This material weakness included more 
than 13,000 uncompleted IT security corrective actions. These 
13,000 corrective actions will require more than 100,000 sub-ac- 
tions to fully remediate and manage IT security vulnerabilities and 
improve the VA security posture. In early September 2010, I was 
also advised that nearly 600 VA systems’ Authority to Operate had 
expired and there was no plan in place to bring these systems into 
compliance. 

Despite the voluminous number of uncompleted corrective ac- 
tions and expired ATOs, the most concerning issue was a conversa- 
tion I had with the VA Principle Deputy Assistant Secretary Steph 
Warren, who told me shortly after my arrival that we have 
uninvited visitors in the network. Further discussion with the VA 
network security operations team indicated that VA became aware 
of a serious network compromise in March 2010 and these 
uninvited visitors were nation-state sponsored attackers. 
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Over the course of time while working with the VA NSOC and 
external agencies I learned that these attackers were a nation-state 
sponsored cyber espionage unit and that no less than eight dif- 
ferent nation-state sponsored organizations had successfully com- 
promised VA networks and data or were actively attacking VA net- 
works, attacks that continue at VA to this very day. 

These group of attackers were taking advantage of weak tech- 
nical controls within the VA network. Lack of controls such as 
encryption on VA data bases holding millions of sensitive records, 
web applications containing common exploitable vulnerabilities, 
and weak authentication to sensitive systems contributed to suc- 
cessful unchallenged and unfettered access and exploitation of VA 
systems and information by this specific group of attackers. 

During my tenure, I consistently ensured that each instance of 
attack or compromise by these group of attackers was documented 
and communicated to the VA OIT leadership through specialized 
reporting called Key Investigative Reporting performed by the 
NSOC Deep Dive analysis team and biweekly security meetings 
with the VA Principle Deputy Assistant Secretary, Mr. Steph War- 
ren. 

From late August 2010 until my departure in early February 
2013, I planned for and executed with support from various sub of- 
fices within OIT a series of initiatives and activities needed to im- 
prove network and system security with the particular focus on de- 
fending the network against sophisticated and targeted attacks lev- 
ied by nation-state sponsored organizations. Some of these initia- 
tives included a web application security program, the VA software 
assurance program, continuous monitoring and diagnostics of VA 
information systems, mandating encryption of all VA databases, 
and supported the reduction of the total number of VA databases 
hosting sensitive veteran information. 

During my tenure as CISC, with the support of VA as a whole, 
we were able to close more than 10,000 of the 13,000 security cor- 
rective actions. In all, VA personnel executed more than 100,000 
sub actions. While these actions did improve security from a com- 
pliance perspective, there still existed a problem of fully imple- 
menting adequate technical security controls needed to defend net- 
work systems and system information from nation-state sponsored 
attackers. 

The heart of selecting the proper technical controls meant fully 
understanding the threat actors, their tactics, techniques and pro- 
cedures, and along with systems and network vulnerabilities in im- 
plementing a program that could continuously report on and reme- 
diate identified vulnerabilities in a near realtime fashion. 

Over time, the Office of Information Security worked to enhance 
a comprehensive program called Continuous Monitoring and 
Diagnostics that would provide adequate security of VA systems 
and networks by continually evaluating certain technical controls 
in a near realtime fashion. There is proof that a good CMD pro- 
gram monitoring the correct controls can significantly improve in- 
formation security and is consistent with the direction that the 
Federal Government is taking in securing Federal systems. It is 
also significantly superior to even a good paper-based ATO process. 
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It is my testimony that at the time of my departure from VA that 
the process required for the DAS IS to make an attestation that 
VA systems were adequately secure was completely faulty and im- 
proper and implementation of the process veteran systems and VA 
information to further risk of compromise. It was confirmed to me 
by the VA information security staff charged with executing the 
process that it was flawed, provided no value, and that providing 
a positive attestation to the adequacy of security controls would se- 
riously compromise the integrity of the VA security program. I sub- 
sequently conveyed this message to the Assistant Secretary and the 
PDAS by formal memorandum and in conversation to the PDAS be- 
tween January 15, 2013, and January 23, 2013. 

VA Handbook 6500.3 states that the DAS is responsible for re- 
viewing all C&A packages and making a decision recommendation 
to the authorizing official to issue an lATO, ATO or Denial of Au- 
thorization to operate; and providing an lATO extension in the 
event local management can demonstrate continuous monitoring 
and security due diligence are being provided. 

In accordance with VA information security policy and following 
VA information security procedures as a DAS IS, I elected to rec- 
ommend a denial of Authority to Operate and also elected to rec- 
ommend movement of VA systems over the course of eight months 
into an enhanced continuous monitoring program where systems 
technical controls can be centrally managed and evaluated in a 
near realtime fashion. I based my decision on the guidance pro- 
vided by the information security team on the fact that the paper- 
based process would not keep highly sophisticated nation-state 
sponsored attackers from further compromising VA data. 

Furthermore, as each VA system was transitioned into the con- 
tinuous monitoring program, additional specific critical controls 
would be evaluated for adequacy before being fully granted a full 
ATO. These additional critical controls are proven to slow and re- 
peal sophisticated nation-state sponsored attackers from compro- 
mising information systems and data. This was an agreed upon 
process with the VA information security team and a process that 
had been briefed by me to the Director of IT Audits and Security 
within the VA Office of the Inspector General several weeks before 
the process implementation. 

Despite the authority granted to the DAS IS, to make the rec- 
ommendation to deny authorization, the VA OIT PDAS made a 
concerted effort to circumvent my authority and influence my deci- 
sion to make a recommendation to the accrediting official that 545 
VA systems be given an interim authority to operate. Furthermore, 
VA handbook and policy 6500.3 and VA policy 6500 provides no 
role or authority for the PDAS, OIT with regard to the program or 
processes governing authority to operate. 

To this end, I would recommend to this Subcommittee some rec- 
ommendations. Review all key investigation reports and Deep Dive 
analysis reports and Web Application Security Program reports to 
assess the damage and depth of exposure, extent of compromise to 
VA systems and compromise to Veteran information, and regularly 
report to the House Committee on Veterans Affairs on progress 
made with respect to mitigating access to VA systems and veteran 
information by nation-state sponsored organizations. 
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Assess previously identified web application exposures and as- 
sess for potential compromise of veteran data, both PIT and PHI. 

Include web application exposures as part of the Data Breach 
Core Team evaluation process. 

Assess the potential compromise to non-VA networks sharing an 
interconnection with VA’s networks. 

Designate the VA network as a compromised environment and 
establish controls that are effective and support the reclamation of 
control back to VA from nation-state sponsored organizations. 

Move the VA systems into a full continuous monitoring and 
diagnostics program with near realtime situation awareness of a 
security posture with a focus on the 20 critical controls. 

Increase VA funding for VA security programs and number of in- 
formation security officers supporting VA field offices and facilities. 

Move reporting lines for the DAS Information Security directly to 
the Assistant Secretary OIT or to the Office of the Secretary, VA. 

Assess the past and present practices of the OIT leadership with 
regard to decisions made in the protection of VA systems and infor- 
mation. 

I would like to thank the Members of the Subcommittee for your 
time today and I look forward to any questions you may have. 

[The prepared statement of Jerry L. Davis appears in the 
Appendix] 

Mr. Coffman. Thank you, Mr. Davis. Mr. Davis, in your experi- 
ence, what would be the intended use for their access once these 
actors gained access into the network? 

Mr. Davis. The actors, once they get inside a network, depending 
on what their goals and objectives are, could be a number of things. 
So initially, once they get inside a network they establish a foot- 
hold and that foothold is actually meant and designed to allow 
them access into the network at another given time. So basically 
what they do is, they install backdoors into the network. Once they 
are inside the network and they have established those backdoors, 
they then attempt to move laterally throughout the network by 
compromising passwords, user names and things of that nature, 
and elevating their privileges so they can further move throughout 
the network and start looking at systems to potentially com- 
promise. 

Their long-term objective is to maintain a presence inside the 
network for whatever they need to do. So by maintaining the pres- 
ence means that they will attack multiple systems, they will con- 
tinue to steal passwords, user names, things of that nature, so they 
can maintain their presence, and then essentially take whatever 
data that they deem may be important for them. 

Mr. Coffman. Mr. Davis, can you elaborate on these nation-state 
attackers? 

Mr. Davis. So within VA I saw — we dealt with approximately 
eight different types of attackers or groups or organizations. In 
looking at reporting that was put out by industry experts, particu- 
larly a report in February of 2013, Mandiant, they identified 
attackers coming from the People’s Republic of China, the People’s 
Liberation Army, and in information that I had at the time and 
looking back when we did the analysis on those individuals, we 
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identified that it was also the same groups. One the groups we 
called were the Comment Crew, and they are known to he spon- 
sored by the People’s Liberation Army. 

Mr. Coffman. Mr. Davis, how does an organization defend 
against these sophisticated attackers once they are in the network? 

Mr. Davis. Once they are in the network, once you understand 
that they are in the network, you have to do something which I call 
is, you are in a compromised environment. So there is a number 
of things that you need to do to understand how do you reclaim 
that environment. 

The first thing you need to do is identify which systems were 
compromised, do a forensics evaluation if you can on what was ac- 
tually taken, remove users from resources around the network and 
then do things such as look at what we call indications of com- 
promise. 

So this is basically digital fingerprints that we would have of dif- 
ferent groups who have compromised other environments and we 
now have their fingerprints. You will look for these indications of 
compromise and then basically go back and remediate all of those 
areas where you believe the compromise took place or where you 
know the compromise took place. 

So if you know that the compromise was a missing patch, you 
have to start patching past the systems. The problem is, is that 
once you realize that the individuals are in the network, on aver- 
age, they have already compromised the environment for generally 
up to a year by the time you figured out they have been in the net- 
work. So you may go back and patch a particular system, but they 
have already established backdoors elsewhere in the network. So it 
becomes sometimes chasing your tail around and around in circles 
in trying to identify where they are. So you may patch, but they 
will pop up again somewhere else. So it takes over time a number 
of years, months to years, to go through the organization system- 
atically and plug these holes. 

DoD puts out a very good document, it is not classified, it is sen- 
sitive but it is the not classified, that is called Operating in a Com- 
promised Environment, and it teaches organizations, it is instruc- 
tions on how you actually operate in a compromised environment 
and reclaim that environment. 

Mr. Coffman. Mr. Walz. 

Mr. Walz. Thank you. Chairman. Mr. Davis, thank you. Thank 
you for your service both in uniform and after. 

I am going to try and go back at this issue because I think the 
issue of security and veterans security is paramount. The accusa- 
tions that have been laid out, I am going to get at this and try and 
figure it out. Can you tell me, was this issue over you pointing out 
that there were problems, did that lead to your departure from VA? 

Mr. Davis. The problems at VA didn’t lead to my departure. Like 
I said earlier, we had worked through a tremendous number of cor- 
rective actions. You know, as I said earlier, I worked through 
about — of the 13,000, we had gotten through about 10,000 of them. 
At that time I felt that the work that I was doing at VA, some 
other opportunities came up. I had an opportunity to move back to 
the West Coast where I am from originally and be closer to my 
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family out there, was part of the reason why I elected to move 
back. 

Mr. Walz. Because you signed off, if I am right here, in August 
31 of 2011 you did the extensions on the ATOs. 

Mr. Davis. That is correct. 

Mr. Walz. And then again you met with Mr. Warren on Novem- 
ber 29th about the expiring ATOs, and then on December 21st you 
informed him of your resignation. It is just personal timing on all 
this, is why this hit like this? 

Mr. Davis. Yes, it was the timing. I had actually notified the pre- 
vious Assistant Secretary Mr. Baker before November that I would 
be departing. I had just had a one-on-one with him and said that 
I have an opportunity to go back to the West Coast. I don’t have 
anything in writing but there has been a formal offer. When I get 
a formal offer — 

Mr. Walz. This was all prior to December 31st on the expiring 
ATOs. 

Mr. Davis. That is correct. 

Mr. Walz. Why would they have asked you when they knew you 
were leaving, you had already signed on to these, do you think it 
was appropriate at that time? Now, you say, the thing that I am 
going at is under duress. What did they do or ask you to do that 
violated your conscience on this to sign these things? 

Mr. Davis. The process to do the Authority to Operate, it is a 
sign-off that says — that gives my attestation that the systems are 
adequately secure. The process is pretty involved and very exten- 
sive. So the problem that I had was that the process was asked to 
be short-circuited. In other words, an email had come out from the 
OIT front office indicating that Mr. Warren wanted all the authori- 
ties who operate to be signed by the time I left, and that was 2 
weeks. This is January 11th. So my team forwarded that to me — 

Mr. Walz. Why didn’t you just say no and walk away? Because 
what you are asking here is signing off on a system that is going 
to possibly lead to the breach of this. You knew it wasn’t working. 
You knew that there were violations made. But by putting your 
name on it, it gave the authorization to move it forward. You were 
already leaving your job and had notified them, and then a month 
later a memo is sent, and I am going to get to that in a minute, 
two different ones, and I find out about it here for this hearing. I 
am still trying to get at this. 

Mr. Davis. Yes, sir. At that point, I did say no in writing, in 
memorandum form to Mr. Baker, and that would have been on or 
about January 15th, immediately after I became aware that I was 
needed to sign these before I had departed. In the memorandum 
that I sent to Mr. Baker, I said that this is improper because all 
of the activities that are needed to make a decision on authorities 
to operate can’t be done in 2 weeks. I said there is going to be er- 
rors and omissions and that it was improper, we would jeopardize 
the integrity of security. 

Mr. Walz. Did someone threaten you? 

Mr. Davis. I wouldn’t say — no one threatened me, but basically 
I was told that I would not be getting — ^be given a transfer date, 
a transfer date would not be given to the agency that picked me 
up until I signed off on the documentation. 
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Mr. Walz. Who told you that about the transfer? 

Mr. Davis. Mr. Warren. 

Mr. Walz. Mr. Warren said you would not he given a transfer 
date if you wouldn’t sign on a document that your conscience told 
you was wrong? 

Mr. Davis. That is correct. And that was — I contacted the senior 
executive HR because the new organization was contacting me and 
asking me when was I going to be coming on board, because I had 
told them back in December that I would give VA 30 days to work 
through whatever I had left to do and I would be coming on board. 
At this point they are contacting VA. They are asking when am I 
going to get a release date. I contacted HRHCS and I was told that 
Mr. Warren said that you would not be given a release date be- 
cause you still had a project to finish. 

Mr. Walz. Did he miss this last paragraph in the memo you gave 
him? The one I have here says I attest that there is a clear and 
present danger and risk of exposure and compromise of the sen- 
sitive data. 

He testified under oath that he never got that, that this was 
added to the letter that was sent to Congress on January 28th, and 
on January 29th he got the letter without that there. 

Mr. Davis. He did indeed, sir, get a different copy. 

Mr. Walz. Why a different copy? 

Mr. Davis. Let me explain what happened. I originally — that was 
the original letter that I had written, and that letter was on an in- 
ternal — a letter that was going to VA internally and it had concur- 
rently copied all the Members of Congress. My business office came 
back to me, because we were putting it through the official VA sys- 
tem, my business office came back to me and said we don’t concur- 
rent copy Members of Congress on letters of this type. They get an 
individual memorandum. So I said okay. 

So they went ahead and drafted the individual memorandum in 
the background. Meanwhile, what I did was, I had someone look 
at the letter and they said they didn’t like the language. They said 
I don’t like the language. They said you probably should change 
this language at the bottom. It sounds a little bit dramatic and 
that sort of thing. 

Mr. Walz. Well, when I read this letter, the most important 
paragraph is the last one. 

Mr. Davis. Yes. It was — someone told me that I asked to — the 
person I asked to look at it thought it was overly dramatic. I said, 
you know, this is a dramatic thing, but maybe it is. So I did change 
the letter. But what had happened was I sent that inside, but then 
later on before I left, I had gotten copies of the original letters that 
came up here to the Members of Congress and those had went out. 

Mr. Walz. Okay, I will yield back. We will wait if there is a sec- 
ond round of questions. 

Mr. Coffman. Mr. Lamborn. 

Mr. Lamborn. Thank you, Mr. Chairman. 

Continuing on these ATOs, Mr. Warren testified that in a well 
run organization you can finish up the last two steps prior to sign- 
ing off on an ATO in as little as 2 weeks. Now, you did not feel 
that that was appropriate though, and why not? 
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Mr. Davis. Because the team that was putting together, which 
was the security team that worked under me that runs the what 
we call assessment and authorization process, they looked at the 
process — they put together the process, looked at it, brought it to 
me and said, sir, do not sign these, the process is not good. But I 
already knew that just by looking at what was coming up to me 
for me to sign that it wasn’t a good process. 

Mr. Lamborn. So in an ideal situation, if it was a well run orga- 
nization you could do that. So you are saying it wasn’t a well run 
organization? 

Mr. Davis. The ATO process that was taking place at the very 
end was not the general ATO process that we had done in the 2- 
1/2 years that I had been there. It was cut short, very abbreviated, 
to make this 2-week timeframe. And I said there is no way you can 
certify and accredit 600 systems in a 2-week timeframe by going 
through all the controls. 

The bigger problem that I had was there is a checklist, and some 
individuals have already testified to this. That on that checklist we 
were asking people out in the field to validate that the controls had 
not changed. My team that came back to me in reaching out to the 
field, one of the reasons they told me not to sign the document is 
because the individuals who were supposed to sign off on the 
checklist delegated the authority down, down, down into the orga- 
nization to hurry up and meet the timeframe. 

So you had individuals that had no concept about the security 
posture of the system checking off on this checklist and then send- 
ing them up to me for signature, and I just refused to sign them. 

Mr. Lamborn. Thank you. That is very illuminating, and I am 
sorry that we are even in this posture today. I am sorry that we 
have to have this hearing. 

You mentioned encryption and others have talked about that. 
Was it a negligent practice or a deficient practice not to have vet- 
erans’ personal information encrypted so that one of these, up to 
eight state actors or state sponsored or outside actors, had they 
accessed it, it would have been not usable to them? 

Mr. Davis. That is correct. Encryption of any sensitive data is a 
general policy. When I got to VA and we started looking, the VA 
policy, which is Directive 6500, encryption on databases was basi- 
cally optional. So in 2012, I said absolutely not. I am mandating 
that all databases be encrypted because of the issues of individuals 
being in the network who could quite — pretty simply, once you got 
into the database you had everything that you needed. 

Mr. Lamborn. Now, those of us, some of us anyway on this panel 
have been concerned about what would have been able to be 
accessed. Am I correct in assuming that this would include, of the 
20 million veterans on the system. Social Security numbers and 
names, ages and possibly Social Security numbers of dependents 
and sometimes personal health information? 

Mr. Davis. Sure. Some of the systems that were compromised, if 
they had that information in them obviously they would take that. 
In some of the studies that my organization did when we were 
looking at web applications, and web applications that have a data- 
base connected to the back end it has veterans’ information, my 
team will run security software tools and it will tell them if that 
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application is vulnerable to attack and how easily it is vulnerable 
and exploitable. 

My team at that time found a number of applications that had 
veteran information, 30 million instances of veteran information 
that was exploitable, and they exploited the system to show that 
it was exploitable inside those systems; Social Security numbers, 
date of birth, so on and so forth. 

Mr. Lamborn. And what about, and I don’t know if there is going 
to be a second round or not, I may have to pursue this later, but 
what about access to other networks? Like, I know DoD and VA 
interact a lot, at least in the health care issue. What possible ac- 
cess could this allow if someone was controlling VA or at least had 
domain control to get into other networks? 

Mr. Davis. As we talked about earlier, the team did these key 
investigative reports, so specifically looking at the nation-state 
sponsored attackers. And one of the compromises that they picked 
up on, this report was right as I was leaving, this came out on Jan- 
uary 9th, 2013, there was an incident that took place where the 
team, and I will just kind of read it, it says the teams in turn sim- 
ply gains initial access to an enterprise via spear pfishing by mov- 
ing laterally previously through compromised trusted networks. 

I will jump forward in this report, and what they have said is 
that — has targeted and compromised one or more systems within 
the Silver Spring office site code, many of which are virtual private 
network users. Based on information collected from open source in- 
telligence and interviews of targeted users, the Deep Dive analysis 
team considers the Bidirectional Health Information Exchange Pro- 
gram to be a high value target for this team. The BHIE program 
is a joint information technology data exchange initiative between 
the Department of Defense, DoD, and VA. The team may be inter- 
ested in the data residing in the system and the network inter- 
connections between the VA and DoD allowing this program to 
function or both. 

Mr. Lamborn. Thank you. 

Mr. Coffman. Dr. Roe. 

Mr. Roe. Thank you. A couple of things I want to just go over 
very quickly and then yield my time. In March 2010, these 
uninvited visitors were nation-state sponsored attackers. Over the 
course of time, while working with the VA, the NSOC team and ex- 
ternal agents learned that these attackers were a nation-state 
sponsored cyber espionage unit and that no less than eight dif- 
ferent nation-state sponsored organizations had successfully com- 
promised VA networks or data or were actively attacking, not nec- 
essarily compromised but attacking VA networks, and attacks con- 
tinue to VA to this day. Is that a correct statement? 

Mr. Davis. That is correct. 

Mr. Roe. So to this date, to date perhaps these attacks are tak- 
ing place. The other question I have is, that I think you just stated, 
and you said the PLA without any hesitation. I guess I would have 
to ask Mr. Warren, why couldn’t he say the PLA? He didn’t men- 
tion that. It is not any big secret to anybody. 

Mr. Davis. It is in the public domain. 

Mr. Roe. Yes, it is. 
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Mr. Davis. And that is what I am going off. I am going off the 
report that came out in the public domain that listed these groups 
of individuals, organizations, and based on that information that is 
in this public domain report, we could accurately say that those are 
the same individuals. Even the nomenclature is the same. 

Mr. Roe. And I am not a technical person so stop me if I am off 
base, but you mentioned that once that system has been com- 
promised, that piece of malware is in the system, there are ways 
you can operate around it. 

Mr. Davis. Yes. 

Mr. Roe. But would encryption work once you have been com- 
promised? Once that malware — do you follow me? 

Mr. Davis. Right. So it depends on what exactly the malware is 
that they put on the system. Your encryption would be of little 
value to you if — once the malware is on the system, the malware 
can then go out and call down other tools into the environment. 
And some of the tools that they do remotely is they pulled down 
keystroke logging. So if they have those types of tools, a keystroke 
logger on that system, when you go to log in to decrypt, they have 
the decryption password for that system. 

Mr. Roe. So they get your password that way. 

Mr. Davis. That is correct. 

Mr. Roe. And do you know that that has happened? When you 
have got the system up now, let’s say you are back there, would 
you know that has happened to you, that they swiped the pass- 
word? 

Mr. Davis. We know that the way these individuals work that 
it is a typical tactic for them to, if they compromise something such 
as a domain controller as was said earlier, or particularly the do- 
main controllers, the domain controller has a file on it called the 
SAM file and that file is the securities accounts manager. In that 
file are all the password accounts for the users in the network. So 
if they have got the domain controller, they will grab the SAM file. 
When they encrypt the information, generally, if it is going out and 
it is encrypted, I know they hit a domain controller. I guarantee 
they probably took the SAM file. They are going to go back, crack 
it later and are going to take every password that was on that sys- 
tem. 

Mr. Roe. So you better change your password pretty often? 

Mr. Davis. Yes, you would have to change all the — ^but the prob- 
lem is, if you have compromised the domain controller, you have 
to change the password to the domain controller as well because 
they are on a controller. If you are just changing passwords with- 
out changing the domain controller, they are just grabbing that as 
it goes along. 

Mr. Roe. Well, I want to thank all of the people here today, Ms. 
Halliday, certainly your team and every one of you. I have learned 
a lot today, and I think we will continue. 

Mr. Chairman, thanks for holding this hearing. 

Mr. Coffman. Mr. Huelskamp. 

Mr. Huelskamp. Thank you, Mr. Chairman. I just want to follow 
up on a statement that Dr. Roe mentioned in which he stated that 
you learned about these attackers were a nation-state sponsored 
cyber espionage unit with no less than eight different nation-state 
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sponsored organizations. Who told you this, how did you determine 
that, and was that common knowledge in the IT network? 

Mr. Davis. It was put together through information that the VA 
Information Security Team, they are called the Enterprise Network 
Defense Team, they put that information together because they 
track, as Mr. Warren stated earlier, they track all these issues 
across the network. They produce these reports. They would send 
them to me and Mr. Warren and a couple other folks and I would 
read through them and work out a plan of action or strategy to 
work through this. 

Mr. Huelskamp. So the report you mentioned, which I believe we 
have a copy of, both reports, did Mr. Warren receive these reports 
as well? 

Mr. Davis. Yes, he was on that email distribution list. I think it 
was only Mr. Warren, myself and maybe one other person. There 
is like three people. 

Mr. Huelskamp. Did you discuss this issue of nation-state spon- 
sored organizations with Mr. Warren? 

Mr. Davis. We did from time to time initially when I first came 
on board at VA. He told me that we have uninvited visitors in the 
network. I pretty much knew what that meant. I had dealt with 
it before. And then going on in subsequent talks, from time to time 
I had a biweekly security meeting with Mr. Warren. It would come 
up about these attackers in the network. If we had an incident it 
might be the topic of the day that we had an incident and we are 
trying to work through it. So, yes, we definitely talked about it. 

Mr. Huelskamp. And above Mr. Warren, did you discuss with 
any of his superiors about that or did you just leave it in his 
hands? 

Mr. Davis. I generally — my reporting line was to Mr. Warren, so 
generally, I didn’t have a great opportunity to talk to folks above 
Mr. Warren. 

Mr. Huelskamp. Did you ever email them with the information 
or include them on an email distribution about this issue? 

Mr. Davis. No. I just worked directly with Mr. Warren on those 
things. 

Mr. Huelskamp. Okay. I think you were here earlier, but a 
statement from Mr. Shinseki indicates that, again to be clear, VA 
security posture was never at risk. Your opinion on that, Mr. 
Davis. Is that an accurate statement? 

Mr. Davis. I would say that is not an accurate statement. 

Mr. Huelskamp. Okay. Did Mr. Warren ever tell you that was 
an inaccurate statement? Did you ever discuss something along 
those lines? 

Mr. Davis. At the time when we were doing the ATOs in the 
memorandum and at the time when he visited my office, I believe 
it was January 22nd, I said that, you know, that the process was 
just bad and basically, as I wrote in the memo, I repeated the 
words that it jeopardized the integrity of the security program. 

Mr. Huelskamp. Lastly, I didn’t get a chance to ask questions 
on this issue, but recently it has come up that numerous other Sec- 
retary and high level individuals in Washington have at times used 
private apparently non-secure email systems to communicate and 
to conduct business. Do you know if that was occurring at the VA? 
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Mr. Davis. I couldn’t say definitely. I would suspect that people 
do do that, but I have no direct knowledge that anybody was doing 
it. I was not asked to investigate or anything like that. 

Mr. Huelskamp. Okay. Were there any VA policies about doing 
that? 

Mr. Davis. I believe there is a VA policy. I believe it would be 
more on the — possibly on the HR side of the house, but it may also 
be in the security policy, that official business you have to conduct 
using VA provided email systems and things of that nature. But I 
don’t know the exact policy that that would be. But I am pretty 
sure that it is in policy. 

Mr. Huelskamp. And then lastly and I will yield back, Mr. 
Chairman, I wasn’t trying to figure out what you were doing on 
personal time, but the testimony you have given sometimes has not 
matched up with earlier testimony as I understood that. Do you 
have any printed out emails or anything in your possession that 
would help establish the veracity of some of the discussions today, 
or is that all retained entirely by the Department? 

Mr. Davis. Anything that I have with me, it is free to go to the 
Committee. It is a lot — some of this is off the public Internet and 
some of them are internal VA documentation and email systems in- 
formation, things like that, that — some of them I would be con- 
cerned that where there are system compromise — or system issues, 
exposures of data, that it identifies the particular vulnerability in 
the system. So I would ask that the system piece of it be stripped 
out. 

Mr. Huelskamp. I understand. Last, Mr. Chairman, Mr. Davis, 
as I understand it, you have 20 years of experience in the private 
and public sector dealing with system security and it still is your 
recommendation that the VA network should be designated as a 
compromised environment. Is that still your — 

Mr. Davis. That is correct. 

Mr. Huelskamp. Thank you, Mr. Chairman. I yield back. 

Mr. Coffman. Thank you, Mr. Huelskamp. Does anybody have 
any questions they would like to ask? 

Very well. Our thanks. Mr. Davis, thank you very much for your 
testimony today. You are now excused. 

It is obvious from what we have heard here today that VA needs 
to take action to improve its IT security. The Subcommittee looks 
forward to working with VA to address these serious deficiencies 
and ensure that all steps are being taken to safeguard the informa- 
tion of our veterans. In that vein, I ask that in 30 days VA provide 
this Subcommittee a specific plan to address all of its IT 
vulnerabilities. 

I ask unanimous consent that all Members have 5 legislative 
days to revise and extend their remarks and include extraneous 
material. Without objection, so ordered. 

Mr. Weaver, the Committee will be in touch with you to establish 
a date and time for a separate meeting for a classified brief — 

Mr. Warren. Warren. 

Mr. Coffman. Mr. Warren, I am sorry. I was looking at you. Mr. 
Warren, okay. 
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I would like to once again thank all of our witnesses and audi- 
ence members for joining us today in conversation. This hearing is 
now adjourned. 

[Whereupon, at 5:40 p.m., the Subcommittee was adjourned.] 



APPENDIX 


Prepared Statement of Hon. Mike Coffman, Chairman 

Good afternoon. I would like to welcome everyone to today’s hearing titled “How 
Secure is Veterans’ Private Information?” 

Reports from VA’s Office of Inspector General, private sector consultants brought 
on by VA, and this Subcommittee’s own investigation have revealed tremendous 
problems within VA’s Office of Information and Technology. 

Some of these issues have been made public in Inspector General reports which 
outlined mismanagement of human resources and the lack of much needed technical 
expertise. Other issues have been less publicized, such as those captured in the 
Deloitte (“deep dive” that identified gaps in OI&T’s organizational structure and a 
poorly executed business model. 

The latter report recognized the growth of VA by thirty-three percent since 2006; 
growth that is mirrored by the expansion of VA’s computer network. Unfortunately, 
there has not been a comparable growth in the technical personnel needed to man- 
age security of VA’s sprawling network. 

These failures have created problems for both the Department and for veterans. 

The Inspector General substantiated that VA was transmitting sensitive data, in- 
cluding personally identifiable information and internal network routing informa- 
tion, over an unencrypted telecommunications carrier network — both violations of 
Federal regulation and basic IT security. The IG also noted that VA has not imple- 
mented technical configuration controls to ensure encryption of sensitive data de- 
spite VA and Federal information security requirements. 

Similarly, it is evident that software patches are not up to date across the net- 
work, too many users have Administrator access, security software is not up to date 
on older computers, and computer ports are not properly secured. There is little to 
no security of file transfer protocol, and web pages are vulnerable allowing unau- 
thorized access to veterans’ unprotected personal information within the system. 

While these issues alone give cause for grave concern, this Subcommittee’s inves- 
tigation has identified even greater problems. The entire veteran database in VA, 
containing personally identifiable information on roughly 20 million veterans, is not 
encrypted, and evidence suggests that it has repeatedly been compromised since 
2010 by foreign actors, including in China and possibly in Russia. 

Recently, the Subcommittee discussed VA’s Authorization to Operate, a formal 
declaration that authorizes operation of a product on VA’s network which explicitly 
accepts the risk to agency operations, and was told that “VA’s security posture was 
never at risk.” 

In fact, VA’s security posture has been an unacceptable risk for at least three 
years as sophisticated actors use weaknesses in VA’s security posture to exploit the 
system and remove veterans’ information and system passwords. While VA knew 
foreign intruders had been in the network, the Department was never sure what 
exactly these foreign actors took, because the outgoing data was encrypted by the 
trespassers. 

These actors have had constant access to VA systems and data, information which 
included unencrypted databases containing hundreds of thousands to millions of in- 
stances of Veteran information such as veterans’ and dependents’ names, social se- 
curity numbers, dates of birth, and protected health information. 

Notwithstanding these problems, VA has waived or arbitrarily extended accredita- 
tion of its security systems on its network. It is evident that VA’s waivers or exten- 
sions of accreditation only “appear” to resolve material weaknesses without actually 
resolving those weaknesses. 

VA’s IT management knowingly accepted the security risks by waiving the secu- 
rity requirements even though such waivers are not appropriate. This lapse in com- 
puter security and the subsequent attempts by VA officials to conceal this problem 
are intolerable and I look forward to a candid discussion about these issues. 

I now yield to Ranking Member Kirkpatrick for her opening statement. 

( 54 ) 
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Prepared Statement of Hon. Ann Kirkpatriek 

Thank you, Mr. Chairman. 

As the Department of Veterans Affairs works hard to serve the needs of today’s 
veterans they must work equally hard to protect their personal information. 

Today’s hearing is an attempt to determine whether a veterans’ private informa- 
tion is secure. Mr. Chairman, veterans need to know that when they ask VA for 
the services and benefits they have earned, the information they submit in order 
to get those benefits will not be compromised under any circumstances. 

I hope that the VA came prepared today to provide assurances to Congress and 
veterans that that all their information technology systems are secure. We expect 
VA to also answer our questions directly and honestly. As we get questions from 
veterans in our districts we want to provide complete and honest answers to them. 

Congress received a letter from Mr. Jerry L. Davis, now a former employee at VA, 
who states that “there is a clear and present danger and risk of exposure and com- 
promise of the sensitive data.” I share the Chairman’s concern on whether VA is 
following the required government practices and policies regarding the monitoring 
and remediation of system risk. 

In addition, two OIG reports from 2012 and 2013 raise additional concerns. The 
2012 report questions whether the agency has the proper Strategic Human Capital 
Management program to meet mission-critical system capabilities as VA moves in 
the 21st century. The second 2013 OIG report faults VA for failing to ensure private 
information by not encrypting health data transmitted to outpatient clinics and ex- 
ternal business partners. The VA must address the concerns raised and assure vet- 
erans who come to VA for assistance that their personal information is secure. 

I want to thank everyone for being here today. I would also like to thank the wit- 
nesses for their testimony and for answering our questions about the security of vet- 
erans’ private information at the Department of Veterans’ Affairs. 

Thank you Mr. Chairman. I 3deld back. 


Prepared Statement of Hon. Jackie Walorski 

Mr. Chairman and Ranking Member, it’s an honor to serve on this Committee. 

I thank you for holding this hearing on such an important issue affecting our vet- 
erans and their sensitive personal information. 

There are over 22 million veterans who have proudly served this country and who 
we are indebted to for their selfless call to protect the freedoms which we cherish. ^ 
The fact that the personal information of many of these veterans may have been 
compromised is completely unacceptable. 

The VA’s Office of Information and Technology has proven inept at securing the 
Department’s information systems and has consequentially exposed veteran infor- 
mation. 

Our veterans are comprised of an exceptional group of men and women, including 
their families, who should not live in fear of their private information getting into 
the wrong hands. 

I look forward to working my colleagues and our panelists to establish an imme- 
diate plan of action that will address this serious problem. 

Thank you. 


Prepared Statement of Linda A. Halliday 

Mr. Chairman and Members of the Subcommittee, thank you for the opportunity 
to discuss the Office of Inspector General’s (OIG) work regarding the securing of vet- 
erans’ private information by VA. I am accompanied by Ms. Sondra McCauley, Dep- 
uty Assistant Inspector General for Audits and Evaluations, and Mr. Michael Bow- 
man, Director, OIG’s Information Technology and Security Audits Division. 

BACKGROUND 

Secure systems and networks are integral to supporting the range of VA mission- 
critical programs and operations. Information technology (IT) safeguards are essen- 


1 Veteran population estimates, as of September 30, 2012, are produced by the VA Office of 
the Actuary (VetPop 2011). http:! I www.va.gov I vetdata I Veteran — Population.asp. 
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tial due to the wide availability of hacking tools on the internet and the advances 
in the effectiveness of attack technology. Lacking proper safeguards, IT systems are 
vulnerable to intrusions by groups seeking to obtain sensitive information, commit 
fraud, disrupt operations, or launch attacks against other systems. VA has at times 
been the victim of such malicious intent. In the past, VA has reported security inci- 
dents in which sensitive information has been lost or stolen, including personally 
identifiable information (PII), potentially exposing millions of Americans to the loss 
of privacy, identity theft, and other financial crimes. The need for an improved ap- 
proach to information security is apparent, and one that senior VA leaders well rec- 
ognize. 

In response to the need to improve security controls, VA has made progress defin- 
ing policies and procedures supporting its Department-wide information security 
program. However, VA continues to face significant challenges implementing effec- 
tive access controls, configuration management controls, and contingency planning 
to protect mission-critical systems from unauthorized access, alteration, or destruc- 
tion. VA has taken positive steps to safeguard personal and proprietary information 
used by VA employees and contractors. Key actions have included: 

• Mandating cyber security and privacy awareness training to ensure that VA 
and contract employees are familiar with applicable laws, regulations, and poli- 
cies. 

• Reviewing the accuracy of position sensitivity level designations for VA and con- 
tract employees. 

• Strengthening its policies and procedures for identifying and reporting incidents 
involving information management and security violations to ensure that the 
incidents are promptly and thoroughly investigated. 

• Establishing a clear chain of command and accountability structure for informa- 
tion security. 

These were good first steps toward improving information security; however, more 
needs to be done. Over recent years, the OIG has conducted a series of reviews to 
help VA overcome its information security challenges by identif 3 dng the underl 3 dng 
causes for VA’s security vulnerabilities and deficiencies. These include our statutory 
work, reviews of complaints to the OIG Hotline, and proactive reviews of internal 
controls. Our report findings have disclosed a pattern of ineffective information se- 
curity controls that expose VA’s mission-critical systems and sensitive data to un- 
necessary risk. We believe our corresponding audit recommendations provide a road- 
map for VA to improve the effectiveness of its information security program and 
safeguard the sensitive data needed to support delivery of benefits and services to 
our Nation’s veterans. 

STATUTORILY-REQUIRED REVIEWS 

For more than 10 consecutive years, independent public accounting firms under 
contracts with the OIG identified information technology security controls as a ma- 
terial weakness as a result of their annual audits of VA’s Consolidated Financial 
Statements. Work on these audits supports our annual Federal Information Security 
Management Act (FISMA) assessments. FISMA requires agencies to develop, docu- 
ment, and implement agency-wide information security risk management programs 
and prepare annual reports. FISMA also requires that each year, the OIG assess 
the extent to which VA complies with FISMA’s information security requirements, 
information security standards developed by the National Institute of Standards 
and Technology, and the annual reporting requirements from the Office of Manage- 
ment and Budget. 

In the middle of FY 2012, while our annual FISMA assessment was ongoing, VA 
instituted the Continuous Readiness in Information Security Program (CRISP) to 
ensure continuous monitoring year-round and establish a team responsible for re- 
solving the IT material weakness. As our FISMA work progressed, we noted more 
focused VA efforts to implement standardized information security controls across 
the enterprise. We also saw improvements in role-based and security awareness 
training, contingency plan testing, reducing the number of outstanding Plans of Ac- 
tion and Milestones (POA&Ms), developing initial baseline configurations, reducing 
the number of IT individuals with outdated background investigations, and improv- 
ing data center web application security. However, the CRISP initiative was not 
launched until March 2012 and the improved processes had not been implemented 
for an entire fiscal year with the opportunity to demonstrate sustained improve- 
ments in information security. 

For FY 2012, we provided a draft report to VA for review and comments and we 
expect to issue our report in June 2013. The report will discuss control deficiencies 
in four key areas: 
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Configuration Management Controls are designed to ensure critical systems have 
appropriate security baseline controls and up-to-date vulnerability patches imple- 
mented. However, we found: 

• Systems including key databases supporting various applications were not time- 
ly patched or securely configured to mitigate known and unknown information 
security vulnerabilities. 

• Baseline configurations, including implementation of the Federal Desktop Core 
Configuration, were not consistently implemented to mitigate significant system 
security risks and vulnerabilities across the facilities. 

• Change control policy and procedures for authorizing, testing, and approval of 
system changes were not consistently implemented for the networks and mis- 
sion critical system hardware and software changes. 

Access Controls are designed to ensure that password standards are consistently 
implemented across the enterprise and that user accounts are monitored to enforce 
minimal access privileges necessary for leritimate purposes and to eliminate con- 
flicting roles. Our FISMA assessment revealed that: 

• Password standards were not consistently implemented and enforced across 
multiple VA systems, including the network domain, databases, and mission 
critical applications. In addition, multi-factor authentication for remote access 
had not been implemented across the agency. 

• Inconsistent reviews of networks and application user access resulted in numer- 
ous generic, system, and inactive user accounts that were not removed and/or 
deactivated from the system, and users with access rights that were not appro- 
priate. 

• Proper completion of user access requests was not consistently performed to 
eliminate conflicting roles and enforce principles of least system privilege. 

• Lack of monitoring of access in the production environment for individuals with 
elevated application privileges for a major application. 

Security Management is designed to ensure that system security controls are ef- 
fectively monitored on an ongoing basis and system security risks are effectively re- 
mediated through corrective action plans or compensating controls. We will report 
that: 

• Security management documentation, including the risk assessments and Sys- 
tem Security Plans, were outdated and did not accurately reflect the current 
system environment or Federal standards. 

• Background reinvestigations were not performed timely or tracked effectively. 
In addition, personnel were not receiving the proper level of investigation for 
the sensitivity levels of their positions. 

• Scheduled completion dates for POA&Ms were updated without written jus- 
tification and supporting documentation was not adequate to justify POA&M 
closures. 

Contingency Planning Controls ensure that mission-critical systems and business 
processes can be restored in the event of a disaster or emergency. However, we de- 
termined that: 

• Contingency plan documentation had not been updated to reflect lessons 
learned from the contingency and disaster recovery tests, and detailed recovery 
procedures for all system priority components had not been documented and/or 
did not reflect current operating conditions. 

• Backup tapes were not encrypted prior to being sent to offsite storage at se- 
lected facilities and data centers. 

More importantly, we continue to identify significant technical weaknesses in 
databases, servers, and network devices that support transmitting sensitive infor- 
mation among VA’s Medical Centers, Data Centers, and VA Central Office. Many 
of these weaknesses are due to inconsistent enforcement of an agency-wide informa- 
tion security program across the enterprise and ineffective communication between 
VA management and the individual field offices. Therefore, VA needs to improve its 
monitoring process to ensure controls are operating as intended at all facilities and 
communicate security deficiencies to the appropriate personnel to implement correc- 
tive actions. 

We have identified and reported deficiencies where control activities were not ap- 
propriately designed or operating effectively. The dispersed locations, the continued 
reorganization of VA business units, and the diversity in applications adversely af- 
fected facilities and management’s ability to consistently remediate IT security defi- 
ciencies agency-wide. For example, VA’s complex and dispersed financial system ar- 
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chitecture had resulted in a lack of common system security controls and incon- 
sistent maintenance of IT mission-critical systems. Consequently, VA continues to 
be challenged by a lack of consistent and proactive enforcement of established poli- 
cies and procedures throughout its geographically dispersed portfolio of legacy appli- 
cations and newly implemented systems. In addition, VA lacks an effective and con- 
sistent corrective action process for identifying, coordinating, correcting, and moni- 
toring known internal security vulnerabilities on databases, web applications, and 
networks infrastructures. 

Our FY 2012 FISMA report will include 27 current recommendations to the Act- 
ing Assistant Secretary for Information and Technology for improving VA’s informa- 
tion security program. The report also highlights five unresolved recommendations 
from prior years’ assessments for a total of 32 outstanding recommendations. Over- 
all, we are recommending that VA focus its efforts in the following areas: 

• Addressing security-related issues that contributed to the IT material weakness 
reported in the FY 2012 audit of the Department’s consolidated financial state- 
ments. 

• Remediating high-risk system security issues in its Plans of Action and Mile- 
stones. 

• Establishing effective processes for evaluating information security controls via 
continuous monitoring and vulnerability assessments. 

We continue to evaluate VA’s progress during our ongoing FY 2013 FISMA audit 
and acknowledge increased VA efforts to improve information security, but we are 
still identifying repeat deficiencies, albeit to a lesser extent. This fall, upon comple- 
tion of our FY 2013 FISMA testing and related work, we will make a determination 
as to whether VA’s improvement efforts are successful in overcoming the IT mate- 
rial weakness. 

OTHER REPORTS RELATED TO INFORMATION SECURITY 

Over the past 2 years, we have issued a series of audits and reviews that have 
identified VA’s information security controls deficiencies. Our reports disclosed a 
number of issues, including ineffective management of systems interconnections and 
sensitive data exchanges, delayed contractor background investigations, and inad- 
equate access controls that placed sensitive veterans’ data at unnecessary risk. 

Review of Alleged Transmission of Sensitive VA Data Over Internet Connec- 
tions 

In March 2013, we substantiated an allegation made through the OIG Hotline 
that VA was transmitting sensitive data, including PII and internal network routing 
information, over an unencrypted telecommunications carrier network. VA Office of 
Information Technology (OIT) personnel disclosed that VA typically transferred 
unencrypted sensitive data, such as electronic health records and internal internet 
protocol addresses, among certain VA Medical Centers and Community Based Out- 
patient Clinics using an unencrypted telecommunications carrier network. OIT man- 
agement acknowledged this practice and formally accepted the security risk of po- 
tentially losing or misusing the sensitive information exchanged. 

VA has not implemented technical configuration controls to ensure encryption of 
sensitive data despite VA and Federal information security requirements. Without 
controls to encrypt the sensitive VA data transmitted, veterans’ information may be 
vulnerable to interception and misuse by malicious users as it traverses 
unencrypted telecommunications carrier networks. Further, malicious users could 
obtain VA router information to identify and disrupt mission-critical systems essen- 
tial to providing health care services to veterans. 

VA acknowledged transmitting PII over privately segmented networks to support 
service to veterans. VA concurred with our recommendations to improve the protec- 
tion of sensitive data transmitted over the unencrypted carrier networks and imple- 
ment configuration controls to ensure encryption of such data. VA clarified that it 
employs an industry telecommunications carrier network to provide a segmented 
network for transmitting PII, but noted that these network links are not currently 
emplo 3 dng encryption controls to protect sensitive data. 

VA did not agree with the assertion that PII and internal network routing infor- 
mation were being transmitted over unsecured internet connections. However, based 
on interviews with OIT personnel at VA Medical Centers as well as information pro- 
vided by the OIG Hotline complainant, we maintain that PII and router information 
were being transmitted unencrypted through a telecommunications carrier that also 
provided internet services to customers outside of VA. Nonetheless, we commend 
OIT for performing a review of the locations associated with the Hotline complaint 
and inspecting communication networks to ensure proper segmentation of VA net- 
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works from internet connections. We recognize that industry telecommunications 
carriers can segment data traffic from unsecured Web connections. However, we be- 
lieve the risk remains that sensitive VA data and router information can be com- 
promised when it is transmitted across unencrypted telecommunications carrier net- 
works outside of VA’s span of technical control. More specifically, the network alone 
does not provide encryption, integrity, or authentication protections for the trans- 
mission of sensitive data and such services may be vulnerable to denial of service 
or sniffing attacks by malicious users. The Assistant Secretary for Information and 
Technology acknowledged these information security risks by stating OIT will re- 
view technical network communications practices across the enterprise and take cor- 
rective actions without hesitation. 

Audit of VA System Interconnections With Research and University Affiliates 

In October 2012, we reported on the effectiveness of VA’s management of network 
interconnections and sensitive data exchanges with its research and university af- 
filiates. Our audit disclosed that VA has not consistently managed its systems inter- 
connections and data exchanges with its external research and university affiliates. 
Despite Federal requirements, VA could not readily account for the various systems 
linkages and sharing arrangements. VA also could not provide an accurate inven- 
tory of the research data exchanged, where data was hosted, or the sensitivity lev- 
els. In numerous instances, we identified unsecured electronic and hardcopy re- 
search data at VA Medical Centers and co-located research facilities. 

We determined that VA’s data governance approach has been ineffective to ensure 
that research data exchanged is adequately controlled and protected throughout the 
data life cycle. VA and its research partners have not consistently instituted formal 
agreements requiring that hosting facilities implement controls commensurate with 
VA standards for protecting the sensitive data. The responsible Veterans Health Ad- 
ministration program office’s decentralized approach to research data collection and 
oversight at a local level has not been effective to safeguard sensitive VA informa- 
tion. Because of these issues, VA data exchanged with its research partners was 
considered to be at risk of unauthorized access, loss, or disclosure. 

VA has the opportunity to further serve veterans by supplying the patient and 
medical data needed to achieve advancements in medical research and health care 
services. However, providing such sensitive data through electronic or hard copy 
means without effective information security controls and oversight has left the data 
susceptible to unauthorized access, loss, or disclosure. Leaving hosting facilities re- 
sponsible for data governance at the local level without coordinated involvement of 
all stakeholders has proven ineffective and improvements are needed. 

Establishing formal information security agreements is one method of docu- 
menting data sharing agreements and ensuring that hosting facilities institute in- 
formation security controls commensurate with VA standards. Further, a centralized 
data governance and storage approach would ensure researchers effectively control 
and securely manage sensitive VA research information over the data life cycle. 
Such measures are key to protect veterans’ PII and personal health information and 
promote continued advancements in medical research now and for the future. VA 
generally concurred with our report recommendations. VA is taking corrective ac- 
tions, however, all recommendations remain open as full implementation has not oc- 
curred. 

Review of Alleged Incomplete Installation of Encryption Software Licenses 

In October 2012, we substantiated a Hotline allegation that OIT had not installed 
and activated an additional 100,000 licenses purchased in 2011. As of July 2012, 
OIT officials stated they had installed and activated only a small portion, about 
66,000 (16 percent), of the total 400,000 licenses procured. OIT did not install and 
activate all of the licenses due to inadequate planning and management of the 
project. Specifically, OIT did not allow time to test the software to ensure compat- 
ibility with VA computers, ensure sufficient human resources were available to in- 
stall the encryption software on VA computers, and adequately monitor the project 
to ensure encryption of all VA laptop and desktop computers. 

As such, 335,000 (84 percent) of the total 400,000 licenses procured, totaling about 
$5.1 million in questioned costs, remained unused as of 2012. Given changes in VA 
technology since 2006, VA lacked assurance the remaining software licenses were 
compatible to meet encryption needs in the current computer environment. Further, 
because OIT did not install all 400,000 encryption software licenses on VA laptop 
and desktop computers, veterans’ PII remained at risk of inadvertent or fraudulent 
access or use. 

We recommended the Assistant Secretary for Information and Technology com- 
plete an assessment of the encryption software project to determine whether the 
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software was compatible with VA’s operating systems and still met VA needs. Based 
on the assessment, we recommended that VA terminate the project or develop a 
plan, including adequate human resources and project monitoring, to ensure instal- 
lation and activation of the remaining encryption software licenses. The Assistant 
Secretary for Information and Technology concurred with our finding and rec- 
ommendations and is taking steps to move forward with the software implementa- 
tion. 

Review of Alleged Delays in VA Contractor Background Investigations 

In September 2012, we reported on the merits of a complaint regarding ineffective 
VA management of its contractor background investigations. We substantiated that 
VA could improve management of its contractor background investigations. Specifi- 
cally, VA had a backlog of 3,000 contractor background investigations as of April 
2012, despite process improvements and a reduction in pending cases in recent 
months. VA also inappropriately prohibited contractors from working on awarded 
contracts although VA policy only requires initiating, not fully completing, investiga- 
tions before contractors could start work. 

According to VA officials, delays occurred due to ineffective management within 
VA’s program office which is responsible for initiating and adjudicating background 
investigations; staff misunderstanding VA’s personnel security requirements and in- 
vestigative processes; and no effective centralized system to monitor progress in ad- 
dressing the backlog. In the absence of a system linking contractors needing back- 
ground investigations with underl 3 dng contracts, we could not determine whether 
VA unnecessarily paid for contractors not yet authorized to work on awarded con- 
tracts. Nonetheless, VA officials said the backlog adversely affected their ability to 
fully staff major IT initiatives. 

Our report provided several recommendations for improving procedures to reduce 
the backlog of contractor background investigations and implementing a central case 
management system to monitor contractor status and associated costs during the 
background investigation process. VA generally concurred with our findings and rec- 
ommendations and has reported corrective actions to address them. 

Review of Alleged Mismanagement of the Systems To Drive Performance 
Project 

In February 2012, we reported that VA’s Office of Management did not effectively 
manage the Systems to Drive Performance (STDP) project. We substantiated that 
VA did not adequately protect sensitive VA information from unauthorized access 
and disclosure. Specifically, we determined that more than 20 system users had in- 
appropriate access to sensitive STDP information. On a specific note, VA’s National 
Data Systems Group did not consistently approve requests for user access. Further- 
more, project managers did not report unauthorized access as a security event, as 
required by VA policy. Security deficiencies occurred because STDP project man- 
agers were not fully aware of VA’s security requirements for system development 
and had not formalized user account management procedures. Inadequate Informa- 
tion Security Officer oversight also contributed to weaknesses in user account man- 
agement and the failure to report the granting of excessive user rights as security 
violations. As a result, VA lacked assurance of adequate control and protection of 
sensitive STDP data. 

VA concurred with our findings and recommendation to ensure that employees as- 
signed to the STDP project receive the role-based security training needed to ad- 
dress the issues highlighted in the report. Additionally, VA agreed to assign an In- 
formation Security Officer to the project to ensure VA’s information security require- 
ments are met. Corrective actions have been taken and these recommendations are 
now closed. 

Review of Alleged Unauthorized Access to VA Systems 

In July 2011, we reported on the merits of an OIG Hotline allegation that certain 
contractors without proper security clearances gained unauthorized access to VA 
networks and Veterans Health Information System and Technology Architecture 
(VistA) systems at multiple VA medical facilities. Our review substantiated the alle- 
gation and found that contractors improperly used other employees’ Virtual Private 
Network user accounts to gain unauthorized access to VA systems and networks. 
The review also substantiated that contractor personnel did not obtain appropriate 
background security clearances before gaining access to VA systems and networks. 
Contractors admitted to sharing two of their employees’ user accounts to access VA 
networks on a number of occasions for maintenance and monitoring of contractor 
systems. Further, contractors could not provide evidence that it readily initiated ac- 
tions to terminate user accounts after the employee’s separation date. 
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VA policy specifically prohibits the sharing of user accounts and requires the clos- 
ing of user accounts as part of proper user account management. Further, VA policy 
requires VA personnel to regularly review user account access for inappropriate or 
unusual activity and take necessary actions. Contractors stated they did not fully 
understand VA’s information security requirements regarding user account access 
and did not believe additional user accounts were needed. Additionally, VA did not 
actively monitor user account activity or readily communicate with contractors the 
need periodically to identify and terminate unnecessary user accounts. Without ef- 
fective controls to prevent unauthorized access by contractors, VA information sys- 
tems and sensitive veterans’ data are vulnerable to increased risks of compromised 
availability, integrity, and confidentiality. The lack of individual accountability over 
user accounts provides ample opportunities to conceal malicious activity such as 
theft or misuse of veterans’ data. VA concurred with our findings and recommenda- 
tions. However, the report remains open because a key recommendation regarding 
contractor security controls and practices has not been implemented almost 2 years 
after we issued the report. 

CONCLUSION 

Well-publicized information security incidents at VA demonstrate that weaknesses 
in information security policies and practices expose mission-critical systems and 
data to unauthorized access and disclosure. Through its CRISP initiative, VA has 
strengthened its efforts to define policies and procedures supporting its agency-wide 
information security program. However, its highly decentralized and complex sys- 
tem infrastructure poses significant challenges to implementing effective access con- 
trols, system interconnection controls, configuration management controls, and con- 
tingency planning practices that adequately protect mission-critical systems from 
unauthorized access, alteration, or destruction. Until VA fully implements key ele- 
ments of its information security program and addresses our outstanding audit rec- 
ommendations, VA’s mission-critical systems and sensitive veterans’ data remain at 
increased and unnecessary risk of attack or compromise. 

Mr. Chairman, this concludes my statement. We would be happy to answer any 
questions you or other Members of the Subcommittee may have. 


Prepared Statement of Stephen W. Warren 

Introduction 

Chairman Coffman, Ranking Member Kirkpatrick, Members of the Subcommittee: 
thank you for inviting me to testify regarding the Department of Veterans Affairs’ 
(VA) Information Technology (IT) security strate^. I appreciate the opportunity to 
discuss VA’s plans, actions, and accomplishments in IT security. 

Protecting the data that VA holds on Veterans is as important as the Veterans 
themselves. As the committee knows, the Department received a wakeup call from 
the incident in 2006 involving a stolen laptop which contained unencrypted informa- 
tion on over 19 million Veterans. As a result of this incident, VA consolidated its 
disparate IT functions into a single, unified IT organization. This consolidation has 
benefited VA in many ways, especially in terms of strengthening its information se- 
curity posture. VA’s consolidated IT organization is responsible for protecting Vet- 
eran information at 153 hospitals, 853 community-based outpatient clinics, 57 bene- 
fits processing offices, and 131 cemeteries and 33 soldier’s lots and monument sites. 
Our network supports over 400,000 users, and over 750,000 devices. 

We remain committed to protecting the information we hold on millions of Vet- 
erans and their beneficiaries and more than 300,000 VA employees by providing 
round-the-clock security of VA’s enterprise and infrastructure. 'The Department fully 
supports the White House’s information security initiatives such as two-factor au- 
thentication using HSPD-12 compliant PIV cards, which the VA is in the process 
of implementing. The Department continues to improve the security posture of the 
VA network through our Visibility into Everything initiative, which allows VA to 
see and manage all of its devices and network components in real time. The contin- 
uous monitoring program is responsible for checking IT systems and monitoring 
every desktop and laptop computer attached to the VA network. 

To reinforce our commitment to information security, we are fostering a culture 
change to ensure that all users on our system follow all necessary and required IT 
and privacy protection rules. VA launched the Continuous Readiness in Information 
Security Program (CRISP) in 2012 to proactively address process and policy defi- 
ciencies and architecture and configuration issues. As part of the CRISP effort, VA 
conducts rigorous vulnerability scanning, continuous monitoring of patching and 
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software inventory, implementing port security, anti-virus services, and encryption 
of non-medical IT laptops. 

Through Weh Application Security Assessments, VA is ahle to identify critical 
vulnerabilities and potential exploits in VA applications that store millions of 
records of sensitive data. The network infrastructure is protected through identifica- 
tion of all network assets and critical database stores, identification of all connec- 
tions, and providing the Trusted Internet Connection Gateways services for mail, 
content filtering, name resolution and firewall protection. 

In the past year, VA improved its security posture. The Department has ensured 
that over 98 percent of VA staff have received the mandatory information security 
training they need to protect the information of Veterans and their families. We 
have also completed a number of business impact assessments for contingency plan- 
ning. 

After the 2006 laptop incident, VA worked to ensure its laptop computers were 
encrypted to provide another layer of protection. Currently, over 98 percent of VA’s 
non-medical IT laptops are encrypted. VA has around 2,500 unencrypted laptops re- 
maining and, with the exception of laptops with specific waivers (specific medical 
uses, research laptops using software where encryption would disable the device, 
service/maintenance laptops that do not connect to VA’s network or store sensitive 
information, and laptops purchased by VA and given to Veterans as part of a A re- 
habilitation program) the Department expects to complete encryption of all laptops 
by June 30, 2013. 

Data Breaches 

The Department has worked hard to regain the trust of Veterans after the stolen 
laptop incident in 2006. VA now has a robust data breach notification process, using 
a Data Breach Core Team (DBCT), which provides advance planning, guidance, 
analysis, and direction regarding the potential loss of Protected Health Information 
(PHI), Personally Identifiable Information (PII), or both. The DBCT serves as the 
decision making body between the functional area(s) affected, VA organizations, and 
external stakeholders. 

The DBCT is made up of representatives from across nearly every part of the VA 
enterprise. When the DBCT determines that a breach is reportable, notification is 
made to the affected individuals and credit monitoring is extended. VA also posts 
a monthly report of data breach notifications on its Web site and holds a press call 
with reporters to discuss the contents of the report. The report is also provided to 
Congress, in addition to a quarterly data breach report. 

VA has become one of the very best large organizations at providing notification 
when a breach occurs. For example, while the HITECH Breach Notification Rule re- 
quires covered entities to provide notification within 60 calendar days after dis- 
covery of the breach, and the strictest state laws require notice within 45 days after 
discovery of a breach, VA policy requires notification within 30 days. A review of 
VA’s incident tracking system over the current fiscal year indicates that VA takes, 
on average, 26 days to provide notice. VA’s standards and practices exceed even the 
strictest Federal and state laws and policies. 

Conclusion 

Mr. Chairman, VA places the highest priority in safeguarding Veterans’ and em- 
ployees’ personal information. We are committed to information security, and al- 
though work remains, VA has made significant improvements made in the last few 
years and strives to meet the highest standards in protecting sensitive information. 
Thank you for your continued support of Veterans, their families, and of our efforts 
to protect Veterans and their private information. I am prepared to answer any 
questions you and other Members of the Subcommittee may have. 


Prepared Statement of Jerry L. Davis 

INTRODUCTION 

Chairman Coffman, Ranking Member Kirkpatrick and members of the Sub- 
committee, thank you for the opportunity to convey my concerns to you regarding 
the protection of information systems and information, which includes sensitive Vet- 
eran data at the Department of Veterans Affairs (VA). 

From August 2010 until February 2013, I served as the Deputy Assistant Sec- 
retary, Information Security (DAS IS) and Chief Information Security Officer (CISO) 
at the VA. As the DAS IS, I served as the most senior civil service staff member 
within VA with responsibility for oversight and accountability in the protection of 
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VA information, VA privacy, records management and the Freedom of Information 
Act (FOIA) process. At the time of my departure from VA in early February 2013, 
I was one, if not the longest serving Chief Information Security Officer (CISO) in 
the federal government with nearly a decade of service in that role spread across 
multiple federal agencies. I am also a Marine Veteran having served in comhat with 
distinction during the First Gulf War, so the appointment to the position as the VA 
CISO had special meaning. It was a position that I did not take lightly and I was 
and I still am extremely proud to have had an opportunity to serve our country and 
equally proud to have had a great opportunity to serve the Veteran community. 

My time at VA was largely filled with a great sense pride because of the purpose 
and mission of VA and because of my role, which had a direct and positive impact 
on the Veteran community. However there came a time at the end of my tenure 
where my pride turned to serious consternation and that consternation remains this 
very day. 

SECURITY POSTURE IN 2010: VA’s COPROMISED ENVIRONMENT 

In nearly 20 years of building and managing security programs across government 
and private industry, I had never seen an organization with as many unattended 
IT security vulnerabilities. Upon my arrival in late August 2010 I inherited the re- 
sults of more than 15 continuous years of an unattended and documented material 
weakness in IT security controls. This material weakness included more than 13,000 
uncompleted IT security corrective actions. These 13,000 security corrective actions 
would require more than 100,000 sub actions to fully remediate and manage IT se- 
curity vulnerabilities and improve the VA security posture. In early September 
2010, I also was advised that nearly 600 VA systems’ Authority to Operate (ATO) 
had expired and there was no plan in place to bring these systems into compliance. 

Despite the voluminous number of uncompleted corrective actions and expired 
ATOs, the most concerning issue was the conversation I had with the VA Principle 
Deputy Assistant Secretary (PDAS), Stephen Warren, who told me shortly after my 
arrival that “We have uninvited visitors in the network”. Further discussion with 
the VA Network Security Operations (NSOC) team indicated that VA became aware 
of a serious network compromise in March 2010 and these “uninvited visitors” were 
nation-state sponsored attackers. Over the course of time while working with the 
VA NSOC team and external agencies, I learned that these attackers were a nation- 
state sponsored cyber espionage unit and that no less than eight (8) different na- 
tion-state sponsored organizations had successfully compromised VA networks and 
data or were actively attacking VA networks; attacks that continue at VA to this 
very day. These groups of attackers were taking advantage of weak technical con- 
trols within the VA network. Lack of controls such as encryption on VA databases 
holding millions of sensitive records, web applications containing common exploit- 
able vulnerabilities and weak authentication to sensitive systems contributed to the 
successful unchallenged and unfettered access and exploitation of VA systems and 
information by this specific group of attackers. 

During my tenure, I consistently insured that each instance of attack or com- 
promise by these group of attackers was documented and communicated to the VA 
OIT leadership through specialized reporting called Key Investigative Reporting 
(KIR) performed by the NSOC Deep Dive Analysis (DDA) team and biweekly secu- 
rity meetings with the VA Principle Deputy Assistant Secretary (PDAS), Mr. 
Stephan Warren. 

MITIGATION ACTIVITIES 2010-2013 

From late August 2010 until my departure in early February 2013, I planned for 
and executed with support from various sub offices within OIT a series of initiatives 
and activities needed to improve network and systems security with a particular 
focus on defending the network against sophisticated and targeted attacks levied by 
nation-state sponsor organizations. Some of these initiatives included the Web Ap- 
plications Security Program (WASP), the VA Software Assurance Program, Contin- 
uous Monitoring and Diagnostics (CMD) of VA information systems, and mandating 
encryption of VA databases, and supported the reduction of the total number of VA 
databases hosting sensitive Veteran information. 

During my tenure as CISO, with the support of VA as a whole, we were able to 
close more than 10,000 of the 13,000 security corrective actions. In all, VA personnel 
executed more than 100,000 sub actions, l^ile these actions did improve security 
from a compliance perspective, there still existed a problem of fully implementing 
adequate technical security controls needed to defend networks, systems and sen- 
sitive information from nation-state sponsored attackers. The heart of selecting the 
proper technical controls meant fully understanding the threat actors, their tactics, 
techniques and procedures (TTPs) and along with system and network 
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vulnerabilities and implementing a program that could continuously report on and 
remediate identified vulnerabilities in a near real time fashion. 

Over time, the Office of Information Security (OIS) ■worked to enhance a com- 
prehensive program called Continuous Monitoring and Diagnostics (CMD) that 
would provide adequate security of VA systems and networks by continually evalu- 
ating certain technical controls in a near real time fashion. There is proof that a 
good CMD program monitoring the correct controls can significantly improve infor- 
mation security and is consistent with the direction that the federal government has 
taken in securing federal systems. It is also significantly superior to even a good 
paper based ATO process. 

OIT LEADERSHIP DEVIATES FROM ATO PROCESS 

It is my testimony that at the time of my departure from VA that the processes 
required for the DAS, IS to make an attestation that VA systems were adequately 
secure was completely faulty and improper and the implementation of the process 
exposed Veteran systems and VA information to further risk of compromise. It was 
confirmed to me by the VA information security staff charged with executing the 
process that it was flawed, provided no value and that a providing a positive attes- 
tation to the adequately of security controls would seriously compromised the integ- 
rity of the VA security program. I subsequently conveyed this message to the Assist- 
ant Secretary and the PDAS by formal memorandum and in conversation to the 
PDAS between January 15, 2013 and January 23, 2013. 

VA Handbook 6600.3 states that the DAS, IPRM (now called DAS,IS) is respon- 
sible for: 

(3) Reviewing all C&A packages and making a decision recommendation to the AO 
to issue an lATO, ATO or Denial of Authorization [emphasis added] to operate; and 

(4) Providing an lATO extension in the event local management can demonstrate 
continuous monitoring and security due diligence are being provided .... 

In accordance with VA information security policy and following VA information 
security procedures. As the DAS, IS, I elected to recommend a denial of an authority 
to operate and also elected to recommend movement of VA systems over the course 
of eight (8) months into an enhanced continuous monitoring program, where sys- 
tems technical controls could be centrally managed and evaluated in a near real 
time fashion. I based my decision on the guidance provided by the information secu- 
rity team and on the fact that the paper based process would not keep highly so- 
phisticated nation-state sponsored attackers from further compromising VA data. 
Furthermore, as each VA system was transitioned into the continuous monitoring 
program, additional specific critical controls would he evaluated for adequacy before 
being granted a full ATO. These additional critical controls are proven to slow and 
repel sophisticated, nation-state sponsored attackers from compromising information 
systems and data. This was an agreed upon process with the VA information secu- 
rity team and a process that had been briefed by me to the Director of IT Audits 
and Security within the VA Office of the Inspector General (OIG) several weeks be- 
fore the process implementation. 

Despite the authority granted to the DAS, IS to make a recommendation to deny 
authorization, the VA OIT PDAS made a concerted effort to circumvent my author- 
ity and influence my decision to make a recommendation to the Accrediting Official 
(AO) that 545 VA systems be given an lATO. Furthermore, VA handbook 6500.3 
and VA policy 6500, provides for no role or authority for the PDAS, OIT with regard 
the program or processes governing Authority to Operate. 

RECOMMENDATIONS 

To this end, I would recommend that this subcommittee: 

1. Review all VA Key Investigative Reports (KIRs) and Deep Dive Analysis (DDA) 
reports and Web Application Security Program reports (WASP) to assess the dam- 
age and depth of exposure, extent of compromise to VA systems and compromise of 
Veteran information; and 

2. Regularly report to the House Committee on Veteran Affairs on progress made 
with respect to mitigating access to VA systems and Veteran information by nation- 
state sponsored organizations; 

3. Assess previously identified web application exposures and assess for potential 
compromise of Veteran data, both PII and PHI; 

4. Include web application exposures as part of the Data Breach Core Team 
(DBCT) evaluation process; 
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5. Assess the potential compromise to non VA networks sharing an interconnec- 
tion with VA’s network; 

6. Designate the VA network as a “compromised environment” and establish con- 
trols that are effective and support the reclamation of control back to VA from na- 
tion-state sponsored organizations; 

7. Move the VA systems into a full continuous monitoring and diagnostics pro- 
gram with near real time situational awareness of its security posture with a focus 
on the 20 critical controls; 

8. Increase VA funding for information security programs; and number of Infor- 
mation Security Officers (ISOs) supporting VA field offices and facilities 

9. Move reporting lines for the DAS, IS directly to the AS, OIT or to the Office 
of the Secretary, VA 

10. Assess the past and present practices of the OIT leadership with regard to 
decisions made in the protection of VA systems and information. 

I would like to thank the members of the subcommittee for your time today and 
I look forward to any questions you may have. 

Executive Summary 

At the Department of Veterans Affairs (VA), the Deputy Assistant Secretary for 
Information Security (DAS, IS) is responsible for information security and privacy 
strategy, management, policy, procedures, oversight and reporting. VA handbook 
6600.3, Certification and Accreditation (C&A) of VA Information Systems, Holds the 
DAS, IS responsible for; 

Reviewing all final C&A packages and making a decision recommenda- 
tion to the AO to issue an lATO [Interim Authority to Operate], ATO [Au- 
thority to Operate], or Denial of Authorization to operate . . . “ and “Pro- 
viding an LATO extension in the event local management can demonstrate 
continuous monitoring and security due diligence are being provided ” 

Beginning in early 2010 and continuing through late 2012, VA systems had been 
under repeated attacks and data compromised by no less than eight (8) groups of 
well organized and sophisticated nation-state sponsored actors who appear to have 
had unfettered and at times, unchallenged access to VA networks, systems and in- 
formation. Internal reporting by the Office of Information Security (OIS) to the Prin- 
ciple Deputy Assistant Secretary (PDAS), Office of Information and Technology 
(OIT) kept the PDAS informed of the condition regarding exposures of Veteran 
dated in information systems. This reporting further confirmed to the PDAS by his 
own admission in late 2010 that “uninvited visitors were in the [VA] network” and 
thus continued to be a persistent threat and risk to VA systems and sensitive infor- 
mation and other interconnected non-VA networks. 

Security enhancements and programs put into place by the DAS, IS beginning in 
late 2010 through early 2013, revealed over time that significant amounts of Vet- 
eran data was exposed to potential compromise by any attacker from both the Inter- 
net and from within the VA network infrastructure. 

Because of unfettered access to VA systems and information by sophisticated 
attackers and lack of adequate controls to ensure protection of Veteran information, 
in January 2013, the DAS, IS operating under the authority of VA policy and 
FISMA, determined that the newly derived C&A process was not proper and inad- 
equate for securing VA systems holding sensitive information. Despite the rec- 
ommendation from the DAS, IS to the Assistant Secretary, OIT to reconsider an 
lATO using the inadequate process, the PDAS used his official position to influence 
the DAS, IS to sign an attestation that systems were adequately secure for more 
than 250 ATOs, and essentially exposing VA systems and sensitive data to further 
risk of compromise and exposure. 


Questions For The Record 

Letter From: Hon. Mike Coffman, Chairman, Subcommittee on Oversight & 

Investigations, To: VA 

October 22, 2013 

The Honorable Eric K. Shinseki 
Secretary 
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U.S. Department of Veterans Affairs 

810 Vermont Avenue, NW 

Washington, DC 20420 

Dear Mr. Secretary: 

Please provide written responses to the attached questions for record for the Over- 
sight and Investigations Subcommittee hearing entitled “How Secure is Veterans’ 
Private Information” that took place on June 4, 2013. 

In responding to these questions for the record, please answer each question in 
order using single space formatting. Please also restate each question in its entirety 
before each answer. Your submission is expected by the close of business on July 
25, 2013, and should be sent to Ms. Bernadine Dotson at 

Bernadine.dotson@mail.house.gov. 

If you have any questions, please call Mr. Eric Hannel, Majority Staff Director 
of the Oversight & Investigations Subcommittee, at 202-226-3527. 

Sincerely, 

Mike Coffman 

Chairman 

Subcommittee on Oversight & Investigations 

MC/hr 


Questions for the Record from Subcommittee Chairman Mike Coffman 

1. The OIG indicates that IT security has been a material weakness at VA for 
more than 10 years. Why did VA OI&T wait until 2012 to institute a proactive ini- 
tiative like the Continuous Readiness in Information Security Program (CRISP) to 
try to address this issue? 

2. The OIG’s more recent Semiannual Report states that OI&T has 11 reports 
open containing 60 recommendations with 14 open for more than year. Can you ex- 
plain why you concur with OIG recommendations but can’t seem to complete the 
actions necessary to close the recommendations? 

• For example, one report will be open for 2 years come July and yet the most 
significant recommendation remains open - which deals with reviewing con- 
tractor security controls and practices to ensure compliance with VA’s informa- 
tion security requirements. 

3. What steps is VA taking to eliminate the IT Material weakness in FY 13? 

4. Why does VA have so many repeat findings and recommendations from the 
OIG’s FISMA work? Why has VA not made any significant progress towards elimi- 
nating these long standing recommendations? 

5. What actions is VA taking to eliminate the use of clear text protocols used to 
transmit medical information between the VAMCs and the CBOCs over external 
service provider networks? 

6. Based on the information provided in the Deloitte’s deep dive report detailing 
inefficiencies in OI&T operations, what steps will the CIO take to improve delivery 
of IT services? 

7. How will the issuance of the PIV badge affect the ability of the Department 
to respond to Congressional requests, litigation demands, and other similar requests 
to search, decrypt, and release bulk volumes of VA emails? Does the planned roll- 
out of the PIV badge tied to automatic encryption hinder timely responses to such 
requests in any way? 

8. Why is it that the PMAS processes only focuses on meeting milestones and 
schedule but there are no metrics around quality, functionality and customer satis- 
faction? 

9. The VA regulations on Information Security Matters at 38 CFR Part 75 appear 
to authorize an accelerated response with notice to the subjects of a data breach 
and/or an offer of credit protection services. How many times has credit protection 
service been offered to veterans for FY 2008-2012 and for each such instance, to 
how many veterans were such services offered? Please provide the annual cost for 
credit services for each year between FY 2008-2012. 
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10. Under the regulations at 38 CFR Part 76, if the Secretary determines that 
individual notice is not warranted for a data breach, then an independent risk anal- 
ysis is required to be performed. How many risk analyses have been performed in 
accordance with these provisions for FY 2008 to present? Please describe each occur- 
rence of such analysis including the findings and conclusions. Please also indicate 
each date and instance in which a data breach was reported to 0MB and/or to Con- 
gress within FY 2008 to present. 

11. By letter to the committee dated May 14, 2013, you stated: “To be clear, VA’s 
security posture was never at risk.” Please explain how this statement is true given 
the admissions uncovered in the hearing that systems and networks had been 
breached by foreign state actors and the testimony of OIG that, at one point, there 
were 4000 open vulnerabilities. If the statement was untrue when made (as it cer- 
tainly appears), please describe what disciplinary action is being taken for the sub- 
ordinates responsible. 

12. Reports indicate that VA became aware in January, 2013, of an incident 
where attackers used a spearphishing attack to gain access to a joint VA-DoD net- 
work dealing with health data. How many instances have hackers tried to use VA 
networks to gain access to Defense Department computer systems? Please describe 
each instance and what corrective actions were taken in response. 


Questions for the Record from Congressman Tim Huelskamp 

1. I reiterated in my questioning during your testimony, if you could please com- 
municate with the appropriate individual my request for answers to the letters I 
sent to the Department of Veteran Affairs on September 23, 2012 and October 3, 
2012? If you need a copy of those questions, my office would be happy to provide 
those to you. 

2. Your explanation for receiving $87,000 in bonuses was that you met the per- 
formance expectations laid out for you by your leadership — could you please provide 
further explanation of those expectations to my office? 

3. Can you please provide information on how data security at the Department 
of Veteran Affairs compares with industry standards outside the federal govern- 
ment? Specifically, please describe the current data encryption process used by the 
Department of Veteran Affairs. 

4. It was stated during the hearing that outside foreign agents have had access 
to information in the Veterans Affairs database. Could you please provide to me de- 
tailed information on who has accessed the data, the date(s) it was accessed, and 
what the Department of Veteran Affairs has done to prevent future compromises 
to the system? 


Questions and Responses From: U.S. Department of Veterans Affairs 
Questions for the Record from Subcommittee Chairman Mike Coffman 

1. The OIG indicates that IT security has been a material weakness at VA 
for more than 10 years. Why did VA OI&T wait until 2012 to institute a 
proactive initiative like the Continuous Readiness in Information Security 
Program (CRISP) to try to address this issue? 

VA Response: VA has been taking proactive steps to strengthen IT security for 
many years. Prior to 2006, information technology (IT) at the Department of Vet- 
erans Affairs (VA) was decentralized. Among other implications, this decentraliza- 
tion made securing the vast VA enterprise information systems, and thus ending the 
material weakness, virtually impossible. The lack of an ability to address the mate- 
rial weakness in IT was one of the primary reasons the Department, with the help 
of Congress, began to consolidate IT functions into the Office of Information and 
Technology (OIT) in 2006. As a result of IT consolidation, all governance, funding, 
and implementation of IT programs and security controls are managed out of VA 
Central Office (VACO). VA’s consolidation of OIT was not completed until 2009. 

After consolidation, VA managed its information security posture as an IT con- 
cern. Prior to 2012, information security was seen by some as only an IT issue. 
Today, VA recognizes information security is a Department-wide concern and re- 
sponsibility of every single VA employee. In order to bring leadership and field-level 
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focus on the goal of ending the material weakness, the Continuous Readiness in In- 
formation Security Program (CRISP) was formed in 2012 under a new innovative 
management methodology. The CRISP effort consolidates all of the disparate mate- 
rial-weakness related initiatives under the leadership of one focused team across 
VA. Moreover, CRISP is more than just a program, but rather is a culture change 
to be embedded throughout the agency. CRISP is steered by VA executive leadership 
and executed by two OIT co-managers. This collaborative approach with senior lead- 
er oversight allowed for more consistent communication, implementation, and con- 
solidation of tasks downstream, more accurate reporting and oversight upstream, 
and meant a more agile governance of the program. 

2. The OIG’s more recent Semiannual Report states that OI&T has 11 re- 
ports open containing 60 recommendations but can’t seem to complete the 
actions necessary to close the recommendations? 

• For example, one report will be open for 2 years come July and yet the 
most significant recommendation remains open - which deals with re- 
viewing contractor security controls and practices to ensure compli- 
ance with VA’s information security requirements. 

VA Response: VA appreciates the work conducted by the Office of Inspector Gen- 
eral (OIG) to ensure that the Department is following the correct path in working 
to serve Veterans. VA takes OIG’s recommendations seriously, and where we concur 
with the recommendations, we work to implement the recommendations to OIG’s 
satisfaction as quickly as possible. 

VA’s OIT acknowledges that it has several outstanding recommendations over a 
year old. Many of these recommendations have either been submitted to OIG for clo- 
sure, or are in the process of being implemented. VA will continue to work with its 
OIG partners to implement and close all outstanding recommendations. 

VA has furnished OIG with what it believes to be responses sufficient to close the 
open recommendation for its oldest reports. 

3. What steps is VA taking to eliminate the IT Material weakness in FY 
13? 

VA Response: VA’s OIT has made strides to improve its information security 
program. While many of the changes in fiscal year (FY)2012 were recognized by OIG 
during the FY 2012 audits, those changes were not in place long enough to assure 
auditors a permanent process had been firmly established. In FY 2013, VA focused 
on the four major areas of repeat material weakness findings which are: Configura- 
tion Management, Access Controls, Security Documentation, and Contingency Plan- 
ning. The CRISP team and VA leadership are optimistic that the progress made 
from FY 2012 have been sustained, and when coupled with the early audit results 
this year, will show positive improvements during the remainder of FY 2013 audit 
results. FY 2013 also includes the introduction of a new office which focuses on 
patch management and baseline configuration management. While this program is 
new to FY 2013, it is demonstrating promise in its effectiveness. 

FY 2014 continues to bring other significant changes in working towards security 
improvement. Some examples of major initiatives include the Department-wide im- 
plementation of a Governance, Risk, and Compliance (GRC) tool (begun in 

FY 2013) which will aid in the assessments of the overall security posture within 
VA as well as the funding approval for a Security Information and Event Manage- 
ment (SIEM) tool to provide an audit log and event management oversight capa- 
bility. 

All of these efforts are in conjunction with VA’s 18-month plan in response to 
OIG’s Federal Information Security Management Act (FISMA) Audit. The plan, pro- 
vided to OIG and part of their FISMA report, addresses each and every OIG rec- 
ommendation with a plan to remediate the recommendation at various intervals, 
but no later than 18 months. This plan includes work to complete implementation 
of a risk governance structure, completion of a process for better documenting Plans 
of Actions and Milestones, update system security plans, finish implementing strong 
password requirements on all computers, continue reviewing user accounts for cor- 
rect level of user access, implement a mechanism for ensuring antivirus definitions 
are installed and up to date, and others. 

4. Why docs VA have so many repeat findings and recommendations from 
the OIG’s FISMA work? Why has VA not made any significant progress to- 
wards eliminating these long standing recommendations? 

VA Response: As stated above, VA takes OIG’s recommendations seriously and 
is working to implement the recommendations with which VA concurs as quickly as 
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possible, including several targeted efforts as outlined in the IS-month plan to ad- 
dress recommendations in OIG’s FISMA report. Many of the recommendations are 
technical in nature and require extensive research, and detailed implementation 
plans spanning more than a year in order to request closure of the recommendation 
by OIG. All findings have remediation plans either currently in development or exe- 
cution which will position VA to address OIG’s FISMA recommendations. 

5. What actions is VA taking to eliminate the use of clear text protocols 
used to transmit medieal information between the VAMCs and the CBOCs 
over external service provider networks? 

VA Response: OIT does not agree with the conclusion reached by OIG in its re- 
cent report regarding data transmission. In its final report, OIG acknowledges that 
VA does not send unencrypted sensitive information over the public Internet. How- 
ever, VA does not agree with OIG’s assertion in its final report that the manner 
with which VA transmits data over its network necessarily exposes sensitive data 
to non-VA personnel. 

Although OIT does not agree with OIG’s findings in the OIG final report, we con- 
curred with the recommendation to immediately conduct a comprehensive review. 
The information contained in the OIG report is incorrect for the specific network 
links cited in Veterans Integrated Service Network 23, and is inaccurate of the net- 
work as a whole. 

VA takes a defense-in-depth approach to the protection of data in flight. 
Encryption is being deployed at the network layer as well as means to encrypt data 
in flight at the application layer. The Department is already approximately two 
thirds done with deployment of a Transmission Control Protocol/Internet Protocol 
(TCP/IP) Layer 3 bulk encryption solution for wide area network (WAN) links to its 
major facilities including medical centers, regional offices, and data centers. This 
would eliminate the passing of “clear text” across those VA WAN links regardless 
of the use of private external service provider networks as an underlying transport. 
Encryption for the links to major facilities is scheduled to he completed hy the end 
of the calendar year and the same solution is being extended to the Department’s 
Community-Based Outpatient Clinics. 

In addition to the bulk WAN encryption, there is encryption at the application 
layer in some instances related to the transmission of medical and other sensitive 
data. For terminal emulation sessions to its hospital information systems (VistA), 
for instance, VA uses secure shell which encrypts all traffic transmitted between the 
end user client and the VistA system. For the bulk transmission of VistA data, the 
VistA systems end user clients and other VA servers have the capability to use se- 
cure file transmission protocol which encrypts the data in flight. For other types of 
sensitive transmissions, VA staff and systems have standard public key infrastruc- 
ture (PKI) capabilities to digitally sign and encrypt any transmissions and, for docu- 
ment encryption and user-based controls, VA has Rights Management Services 
(RMS). RMS encrypts documents regardless of where and how they are transmitted 
and controls how the recipient is permitted to handle the document (e.g., whether 
they are permitted to forward it, print it, store it, etc.). VA also uses secure socket 
layer and transport layer security, which encrypts sensitive http transmissions. All 
of these methods are in place and encrypt data transmissions independent of wheth- 
er or not the underl 3 dng network is, itself, encrypted. 

6. Based on the information provided in the Deloitte’s deep dive report 
detailing ineffieiencies in OI&T operations, what steps will the CIO take to 
improve delivery of IT serviees? 

VA Response: VA is working hard to position its IT organization as a product 
and service delivery organization focused on providing quality customer service. VA 
asked for the Deloitte survey to be conducted specifically to help address any exist- 
ing issues in order to meet the goal of improving customer service. As part of our 
culture of constant measurement and evaluation against goals and objectives, lead- 
ership asked for a tough and thorough analysis to evaluate the effectiveness of the 
Service Delivery organization. 

Since the delivery of the Deloitte deep dive report, we have worked on expediting 
initiatives already in place designed to improve service delivery and have begun two 
related efforts to address customer service and communications issues. We are cur- 
rently exploring ways of accelerating the implementation of the National Service 
Desk, which we believe will streamline and improve our efficiency in capturing 
issues facing our customers so they can be addressed and resolved more quickly and 
analyzed more comprehensively so as to enable proactive efforts to do IT preventive 
maintenance interventions, where necessary. 
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In terms of new efforts, we established a Customer Advisory Tiger Team in April 
2013, comprised of members of field-based employees from the Veterans Health Ad- 
ministration (VHA) and OIT as recommended by the Assistant Deputy Undersecre- 
tary for Health and the Acting Assistant Secretary for Information and Technology. 
This tiger team is tasked to explore the impact of OIT organizational initiatives, 
such as the establishment of regional service lines. Recommendations resulting from 
the work of this committee were presented to the Acting Assistant Secretary for OIT 
in August 2013. In addition, we have begun an effort toward enhancing field com- 
munications and dialogue between VACO and the field through direct meetings, 
mostly via teleconferencing, with field leadership in the Veterans Benefits Adminis- 
tration (VBA) regional offices, VA medical centers, and National Cemetery Adminis- 
tration offices, working to identify and solve issues identified through focus group 
dialogues and intervention by our customer service improvement council. Using the 
October 2013 VA-wide customer satisfaction survey as a launching point, this pro- 
gram of structured interviews will identify six issues to address nationwide on a 
quarterly basis. The first of several quarterly reports is due at the end of this 
month, and the six initial issues we seek to address were identified in August 2013. 
The investigation process will continue with additional interviews in the next two 
quarters. 

OIT leadership is actively working with field staff to keep communication lines 
open as changes to the organization are developed and implemented. The Acting As- 
sistant Secretary for OIT conducts weekly calls with IT field leadership to keep 
them informed and involved in this significant initiative to transform service deliv- 
ery at VA. VA will keep the committee informed after recommendations are selected 
for adoption and the initial set of six customer concern issues are selected for resolu- 
tion. 

7. How will the issuance of the PTV badge affect the ability of the Depart- 
ment to respond to Congressional requests, litigation demands, and other 
similar requests to search, decrypt and release bulk volumes of VA emails? 
Does the planned roll-out of the PTV badge tied to automatic encryption 
hinder timely responses to such requests in any way? 

VA Response: The issuance and use of Personal Identity Verification (PIV) cards 
will improve the security posture of VA by ensuring only authorized employees have 
access to general information systems by requiring a higher level of assurance 
through using multi-factor authentication. Multi-factor authentication and hard PKI 
certificates associated with the PIV card will improve network access and help se- 
cure VA and Veteran’s information. The use of PIV cards with hard PKI certificates 
to encrypt/decrypt email complicates the response to e-Discovery request. We have 
several efforts underway to improve our response times when dealing with emails 
encrypted with a hard PKI certificate, as VA understands the importance of com- 
plying with such requests. 

8. Why is it that the PMAS processes only focuses on meeting milestones 
and schedule but there are no metrics around quality, functionality and 
customer satisfaction? 

VA Response: The Project Management Accountability System (PMAS) is an 
evolving IT project development methodology and management oversight system. 
From the very inception of PMAS, VA leadership planned to systematically expand 
the scope and function of PMAS over time. PMAS was initially implemented to en- 
sure on-time delivery of IT capabilities. PMAS’ initial focus on schedule was the 
most impactful to reviving the IT delivery rate at VA. However, PMAS continues 
to evolve and now also includes quality, functionality and customer satisfaction ele- 
ments. 

PMAS Guide 4.0, dated November 7, 2012, establishes current PMAS policy. 
PMAS mandates that IT customers be engaged in the process of identifying the 
functionalities and capabilities that new IT projects are to deliver. Before develop- 
ment of a new IT project begins, as well as during the development process, the cus- 
tomer is intricately involved and their satisfaction is a critical element in the ability 
of that project to continue development. In addition, PMAS requires direct and con- 
tinual participation by the customer across the entire life cycle of project develop- 
ment via the Integrated Project Team. Specifically, PMAS policy mandates that the 
Project Manager and the customer agree not only on the IT capability to be deliv- 
ered, but also on the schedule by which the new IT capability is to be developed. 

At the conclusion of each development period, called increments, the customer 
must approve of the capabilities which were delivered. Without this measure of cus- 
tomer satisfaction being achieved, the project cannot continue development. To de- 
liver on time, the capability must be delivered to a production environment by the 
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scheduled increment delivery date, and the customer must agree that the capability 
meets desired functionality and schedule goals. 

Recently, measuring functionality (scope) has also been added to PMAS by cap- 
turing function points delivered in an IT project’s increment. Function points meas- 
ure an amount of business functionality delivered by the IT system to its users. By 
capturing these metrics, analysis can be conducted to also measure the effectiveness 
and efficiency of functionality delivered to the VA enterprise. 

In addition to measuring functionality, PMAS is now able to capture costs per in- 
crement by integrating data from the Budget Tracking Tool and PMAS data to 
achieve a cost per increment. 

The PMAS program will continue to mature; the near-future will focus on: ???(!) 
increasing customer satisfaction by assisting the customer in determining and meas- 
uring the business value the increment delivers; (2) recognizing and verifying the 
progress toward achieving the customers’ strategic goals and objectives; and (3) de- 
termining the quality of the code delivered to production. 

9. The VA regulations on Information Security Matters at 38 CFR Part 75 
appear to authorize an accelerated response with notice to the subjects of 
a data breach and/or an offer of credit protection services. How many times 
has credit protection service been offered to veterans for PTT 2008-2012 and 
for each such instance, to how many veterans were such services offered? 
Please provide the annual cost for credit services for each year between FY 
2008-2012. 

VA Response: The following table demonstrates the number of credit monitoring 
offers extended by VA, and the cost to the agency. 


FY 

Issued 

Cost 

FY 2009 

20,287 

97,519 

FY 2010 

28,369 

148,367 

FY 2011 

26,980 

74,908 

FY 2012 

16,160 

39,498 

FY 2013* 

11,485 

25,156 


*so far through July 


VA has reached out to Veterans Service Organizations to help encourage Veterans 
who are offered credit monitoring to accept the service. 

10. Under the regulations at 38 CFR Part 75, if the Secretary determines 
that individual notice is not warranted for a data breach, then an inde- 
pendent risk analysis is required to be performed. How many risk analyses 
have been performed in accordance with these provisions for FY 2008 to 
present? Please describe each occurrence of such analysis including the 
findings and conclusions. Please also indicate each date and instance in 
which a data breach was reported to OMB and/or to Congress within FY 
2008 to present. 

VA Response: The results of several contracted Independent Risks Analysis’ 
(IRA) VA has conducted are below. The costs for each IRA are at least $29,000 and 
as much as $67,000. In 2012 alone, there were 4,724 incidents. Conducting an IRA 
for each incident would have cost the Government over $136 million. The costs are 
not justified by the results from the IRAs. Of note, VA’s OIG has declined to conduct 
IRA’s as authorized by 38 U.S.C. § 5724(a). 

In order to protect our Nation’s Veterans, VA uses a very low threshold for offer- 
ing credit protection services when a Veteran’s sensitive personal information is the 
subject of a data breach. All reported incidents are triaged by VA’s Incident Re- 
sponse Team and forwarded to the Department-wide Data Breach Core Team 
(DBCT) to determine when credit monitoring or notification letters are required. 
The DBCT team performs the same function as the IRA at a much lower cost. 

Additionally, the Department routinely performs other monitoring activities to en- 
sure information is protected and has not been compromised, including conducting 
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quarterly generalized data breach analysis on the 20 million Veterans names in the 
Beneficiary Identification Record Locator Subsystem to determine if any anomalies 
indicating identity theft warrant intervention on behalf of the Veteran. If such 
anomalies are detected, individual Veterans are notified by mail. This proactive 
data breach analysis identifies both potential identity theft that may be the result 
of undetected VA data breaches and identity theft unrelated to VA experienced hy 
the Veteran population. 

1. April 2008 - An Independent Risk Analysis (IRA) was completed on an incident 
that involved unaccounted for IT Equipment Inventory losses across VA. A reason- 
able risk of harm was not found. Approximately $53,000. 

2. June 2008 - An IRA was completed on an incident that involved lost CD’s at 
VBA regional offices. A reasonable risk of harm was not found. Approximately 
$29,000. 

3. October 2009 - An IRA was completed on an incident that involved contracted 
transcription services done for various facilities within VHA. A reasonable risk of 
harm was not found. Approximately $67,000. 

4. April 2011 - An IRA was contracted regarding an OIT employee in Fayetteville, 
North Carolina, who was stealing identities. The contract was cancelled in Sep- 
tember 2011, after the employee was convicted and the OIG determined the inves- 
tigation was complete. Credit protection services were provided due to reasonable 
risk of harm. 

11. By letter to the committee dated May 14, 2013, you stated: “To be 
clear, VA’s security posture was never at risk.” Please explain how this 
statement is true given the admissions uncovered in the hearing that sys- 
tems and networks had been breached by foreign state actors and the testi- 
mony of OIG that, at one point, there were 4000 open vulnerabilities. If the 
statement was untrue when made (as it certainly appears), please describe 
what disciplinary actions is being taken for the subordinates responsible. 

VA Response: As has been previously explained to the committee on July 12, 
2013, this statement came in the context of a response to an inquiry on a particular 
topic. On April 25, 2013, VA received a letter from Congressman Coffman asking 
how VA will renew its “Authorizations to Operate” (ATO) various IT systems “with- 
out compromising system security.” The Secretary responded to this question in a 
letter on May 14, 2013, outlining the ATO process and stating that through this 
process, “VA’s security posture was never at risk.” As the Acting Assistant Secretary 
for OIT, Mr. Stephen Warren indicated in the testimony at the June 4, 2013, Sub- 
committee hearing, that specific phrase in the letter was and is clearly referring to 
the context of the letter: The process to approve “Authorizations to Operate” did not 
“compromise system security.” The line did not - and was not meant to — imply that 
normal operation of VA systems were never at risk based on other factors. Further, 
as you know, Mr. Warren indicated in the hearing that his office drafted that letter 
for the Secretary’s signature and that in retrospect Mr. Warren believes he could 
have been more clear. Regardless, the sentence is within the context of the ATO sit- 
uation and responds to Congressman Coffman’s request for assurance that the proc- 
ess of renewing ATOs would not put VA systems at risk. 

12. Reports indicate that VA became aware in January, 2013, of an inci- 
dent where attackers used a spearphishing attack to gain access to a joint 
VA-DoD network dealing with health data. How many instances have hack- 
ers tried to use VA networks to gain access to Defense Department com- 
puter systems? Please describe each instance and what corrective actions 
were taken in response. 

VA Response: A response to this question was provided in a briefing to Com- 
mittee staff on July 12, 2013. VA is bound by agreements with outside agencies to 
not reveal information they report to the department in public documents or set- 
tings. This has been explained to committee staff several times. 

Questions for the Record from Congressman Tim Huelskamp 

1. I reiterated in my questioning during your testimony, if you could 
please communicate with the appropriate individual my request for an- 
swers to the letters I sent to the Department of Veteran Affairs on Sep- 
tember 23, 2012 and October 3, 2012? If you need a copy of those questions, 
my office would be happy to provide those to you. 
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VA Response: VA provided a response to Congressman Huelskamp’s October 3, 
2012, letter on January 24, 2013. A response to Congressman Huelskamp’s Sep- 
tember 23, 2012, letter will be provided as soon as it is available. 

2. Your explanation for reeeiving $87,000 in bonuses was that you met the 
performanee expectations laid out for you by you leadership — could you 
please provide further explanation of those expectations to my office? 

VA Response: Mr. Warren met and exceeded the performance expectations set 
by his supervisors. As a Senior Executive, Mr. Warren was responsible for meeting 
the executive core requirements of leading change, leading people, being results- 
driven, exercising business acumen, and building coalitions. Mr. Warren has ex- 
celled in these areas as reflected in the performance appraisals. 

3. Can you please provide information on how data security at the De- 
partment of Veteran Affairs compares with industry standards outside the 
federal government? Specifically, please describe the current data 
encryption process used by the Department of Veteran Affairs. 

VA Response: Effectively comparing data security at VA to industry standards 
largely depends on what sector of industry is being used for comparison. VA is on 
par with health care providers in terms of data security based on publicly available 
data regarding Health Insurance Portability and Accountability Act reports to the 
Department of Health and Human Services. VA has made great strides in 
encrypting laptops and desktops, having completed approximately 99.6 percent 
encryption of laptops and 70 percent encryption of desktops, with the remainder of 
desktop encryption to be completed by the end of the calendar year. 

4. It was stated during the hearing that outside foreign agents have had 
access to information in the Veterans Affairs database. Could you please 
provide to me detailed information on who has accessed the data, the 
date(s) it was accessed, and what the Department of Veteran Affairs has 
done to prevent future compromises to the system? 

VA Response: A response to this question was provided in a briefing to Com- 
mittee staff on July 12, 2013. VA is bound by agreements with outside agencies to 
not reveal information they report to the department in public documents or set- 
tings. This has been explained to committee staff several times. 


o 



